Trojan.Win32.FlyStudio_99b70f3517

by malwarelabrobot on May 19th, 2017 in Malware Descriptions.

Trojan.Generic.21160325 (BitDefender), BrowserModifier:Win32/Webalta (Microsoft), HEUR:Packed.Win32.Blackv.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader24.49750 (DrWeb), Application.ChinAd (A) (Emsisoft), Packed-LF!99B70F3517EB (McAfee), ML.Attribute.HighConfidence (Symantec), PUA.NoobyProtect (Ikarus), Trojan.Generic.21160325 (FSecure), Win32:Malware-gen (Avast), TROJ_GEN.R02LC0GDT17 (TrendMicro), Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Packed, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 99b70f3517eb959ad7649378fe6ffb47
SHA1: 0179592b402ae7611897eaf1ce93a1cb19a07db1
SHA256: 769935e6a644087471b7b2910bd4b7662298be39e099db6fa1c9d89ef5733f8e
SSDeep: 49152:lDhJJp8CnQgZnP8jzm46B5jwqOxNn /pv3lD1jN3qQaKyk3NgwoaJWN/l xZU:9L8bsKzIOxN /JV5R3Za8KgJWNuZU
Size: 3141712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2017-04-14 13:24:44
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\zz_1235k_com[1].htm (20 bytes)
C:\%original file name%.exe (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\core[1].js (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pic1[1].gif (428 bytes)
C:\AppData\AppConfig.ini (40 bytes)
C:\AppData\QS.db (83 bytes)
C:\AppData\QS.db-journal (1638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YVO1QEAO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IF7ACF98.txt (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\L6GP1A49.txt (116 bytes)
C:\AppLink\sql.dll (1677 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].gif (43 bytes)

The Trojan deletes the following file(s):

C:\AppData\QS.db-journal (0 bytes)
C:\hkdxlogfzchkrkfsmoyn.dfg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YVO1QEAO.txt (0 bytes)

Registry activity

The process %original file name%.exe:3700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\99b70f3517eb959ad7649378fe6ffb47_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
9e4dfab7c3b7eb2ea00303f7f6bc5a5b	c:\%original file name%.exe
495d3d4af3dfc66c67ce230f81070058	c:\AppLink\sql.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: QQ??????? Www.52Dfg.Com
Product Version: 1.0.0.0
Legal Copyright: ??????????[www.52dfg.com],??????,?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????QQ?????,?????,??????,????????
Comments: ???????
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	3559424	1449984	5.54487	37143ba936c00c9599afa860fc5af415
UPX	3563520	1650688	1650688	4.7304	e49306209417ebe9fb090d72f4118c98
.idata	5214208	4096	4096	1.09589	773d675173a0482223d30dac431c4bc4
.rsrc	5218304	20480	20480	2.48669	6f66058eff27d1097387e27e6548d347
UPX	5238784	4096	4096	5.53427	32a23deb864f7d129023e3c7f154e0d5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://zz.1235k.com.cname.yunjiasu-cdn.net/?XQS10.83	162.159.210.8
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1257758218&show=pic1
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1257758218&show=pic1&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=1257758218&r=&lg=en-us&ntime=none&cnzz_eid=1986096413-1495064564-&showp=1276x846&t=é»˜è®¤ä¸»é¡µ&umuuid=15c190954712e9-06dabd3c631d55c-44703d1f-1078c8-15c19095472245&h=1&rnd=195518631
hxxp://all.cnzz.com.danuoyi.tbcache.com/img/pic1.gif
hxxp://c.cnzz.com/core.php?web_id=1257758218&show=pic1&t=z	222.186.49.224
hxxp://zz.1235k.com/?XQS10.83	162.159.210.8
hxxp://z4.cnzz.com/stat.htm?id=1257758218&r=&lg=en-us&ntime=none&cnzz_eid=1986096413-1495064564-&showp=1276x846&t=é»˜è®¤ä¸»é¡µ&umuuid=15c190954712e9-06dabd3c631d55c-44703d1f-1078c8-15c19095472245&h=1&rnd=195518631	1.122.192.15
hxxp://s95.cnzz.com/stat.php?id=1257758218&show=pic1	1.99.192.16
hxxp://icon.cnzz.com/img/pic1.gif	222.186.49.224
apisoft.df0535.com	162.159.238.244

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /stat.php?id=1257758218&show=pic1 HTTP/1.1

Accept: */*

Referer: hXXp://zz.1235k.com/?XQS10.83

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s95.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10991

Connection: keep-alive

Date: Wed, 17 May 2017 23:42:44 GMT

Last-Modified: Wed, 17 May 2017 23:42:44 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache14.l2et15[0,200-0,H], cache6.l2et15[1,0], kunlun7.cn74[0,200-0,H], kunlun10.cn74[2,0]

Age: 4096

X-Cache: HIT TCP_MEM_HIT dirn:9:328055765

X-Swift-SaveTime: Wed, 17 May 2017 23:43:16 GMT

X-Swift-CacheTime: 5368

Timing-Allow-Origin: *

EagleId: deba31a314950686606675627e
(function(){function k(){this.c="1257758218";this.ca="z";this.Z="pic1"
;this.W="";this.Y="";this.C="1495064564";this.aa="z4.cnzz.com";this.X=
"";this.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnz
z_CV" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0"
;this.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("s
iteid=1257758218");c.push("name=" f(a.name));c.push("msg=" f(a.message
));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.pus
h("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" 
Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cn
zz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=enco
deURIComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:functio
n(){try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this
.ua(),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.
qa(),this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_c
nzz_CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._cz
c={push:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP fa
iled")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toStr
ing.call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){cas
e "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1
])?.c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof
 c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:func
tion(){try{if("undefined"===typeof e._cz_account||e._cz_account===<<< skipped >>>

GET /img/pic1.gif HTTP/1.1

Accept: */*

Referer: hXXp://zz.1235k.com/?XQS10.83

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: icon.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/gif

Content-Length: 428

Connection: keep-alive

Date: Wed, 17 May 2017 04:55:24 GMT

Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT

Expires: Thu, 18 May 2017 04:55:24 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Via: cache58.l2ne1[20,200-0,M], cache31.l2ne1[21,0], kunlun4.cn74[0,200-0,H], kunlun10.cn74[1,0]

Age: 71738

X-Cache: HIT TCP_MEM_HIT dirn:11:269037565

X-Swift-SaveTime: Wed, 17 May 2017 04:55:24 GMT

X-Swift-CacheTime: 86400

Timing-Allow-Origin: *

EagleId: deba31a314950686624724216e

GIF89a.......f..3...33.......................................!..NETSCA
PE2.0.....!..Powered by AFEI.!.......,.............I........08bX....d.
n...CS.3......_..`..H..H\8....)...S.b.UX.....(...r.L....tb]&"......#..
.o.V.a..D..o.V.a..........D..o.V.a..........D...........!.......,.....
........I........08bX....d.n...CS.3......_..`..H..H\8....).:...@..z...
x ..........D.| .#.u.a....n~D..[....n..........D..[...n..........D....
.......;HTTP/1.1 200 OK..Server: Tengine..Content-Type: image/gif..Con
tent-Length: 428..Connection: keep-alive..Date: Wed, 17 May 2017 04:55
:24 GMT..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Expires: Thu, 1
8 May 2017 04:55:24 GMT..Cache-Control: max-age=86400..Accept-Ranges: 
bytes..Via: cache58.l2ne1[20,200-0,M], cache31.l2ne1[21,0], kunlun4.cn
74[0,200-0,H], kunlun10.cn74[1,0]..Age: 71738..X-Cache: HIT TCP_MEM_HI
T dirn:11:269037565..X-Swift-SaveTime: Wed, 17 May 2017 04:55:24 GMT..
X-Swift-CacheTime: 86400..Timing-Allow-Origin: *..EagleId: deba31a3149
50686624724216e..GIF89a.......f..3...33...............................
........!..NETSCAPE2.0.....!..Powered by AFEI.!.......,.............I.
.......08bX....d.n...CS.3......_..`..H..H\8....)...S.b.UX.....(...r.L.
...tb]&"......#...o.V.a..D..o.V.a..........D..o.V.a..........D........
...!.......,.............I........08bX....d.n...CS.3......_..`..H..H\8
....).:...@..z...x ..........D.| .#.u.a....n~D..[....n..........D..[..
.n..........D...........;..

<<< skipped >>>

GET /?XQS10.83 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: zz.1235k.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Thu, 18 May 2017 00:50:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d39ae076dd759abec5ed0317112fde76a1495068658; expires=Fri, 18-May-18 00:50:58 GMT; path=/; domain=.1235k.com; HttpOnly

Last-Modified: Tue, 20 Sep 2016 14:55:56 GMT

Server: yunjiasu-nginx

CF-RAY: 360ad34e44cc4ec6-DME

Content-Encoding: gzip
39c.............T]..D.}.....U.D.=qL6.c...C .Z. ..jbO.i....7.....'VH.A.
T.Z.P.mx(....?.d.<./...nX.PY....{..;........[.....n}r...-...~j. l..
...{....V.=...pB..C..H...yhB8.....Q6....Dh."9..| Ss..4e.Jf... ..GG...i
zJ..._N...`}z.5.u1?]?|f...%k.9.BK.....VZ4.8.jo.b.8id .O8....x.E..1..5.
@!..i.....|!K..h....b...p..@.4"...c..W..o./...F..I`.Rf.\...M..q......h
....G..h....R8.Y.C}.......j[.}...2.......OC..d../..W...N..W..n.,oM._.G
...5'f.H.).8f.Ic.........n....}f.I.p.....G"..].....}?f.bQp.^.....Mb...
G..2.x..x0.l.-g......2&...Z9.._..d.q........L.S.......Q..`.S.t.zJ....\
:6....T..`.>*...Up.*iF1 ..........V.e=...I.-.......,Y.o.o.(d.iyz...
._......j..b.D.4.zzS..O....[....f@......>[..h1...,.....3=x._.......
..Tn9;^...b.......OV..........|..."|....9....i...y....U....'8<.....
.>.A..\.......u.....S'.6..Z....R*..0.H.....1#....G..qA...(D. ..O..8
......^.T..ZY..sF'g..`.....9v^.W......^...9t....za...7g./.s...........
.../5...I.3:J....0Y..ZCqo7e._.......a....U.p@......0..HTTP/1.1 200 OK.
.Date: Thu, 18 May 2017 00:50:59 GMT..Content-Type: text/html..Transfe
r-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d39a
e076dd759abec5ed0317112fde76a1495068658; expires=Fri, 18-May-18 00:50:
58 GMT; path=/; domain=.1235k.com; HttpOnly..Last-Modified: Tue, 20 Se
p 2016 14:55:56 GMT..Server: yunjiasu-nginx..CF-RAY: 360ad34e44cc4ec6-
DME..Content-Encoding: gzip..39c.............T]..D.}.....U.D.=qL6.c...
C .Z. ..jbO.i....7.....'VH.A.T.Z.P.mx(....?.d.<./...nX.PY....{..;..
......[.....n}r...-...~j. l.....{....V.=...pB..C..H...yhB8.....Q6.<<< skipped >>>

GET /stat.htm?id=1257758218&r=&lg=en-us&ntime=none&cnzz_eid=1986096413-1495064564-&showp=1276x846&t=é»˜è®¤ä¸»é¡µ&umuuid=15c190954712e9-06dabd3c631d55c-44703d1f-1078c8-15c19095472245&h=1&rnd=195518631 HTTP/1.1

Accept: */*

Referer: hXXp://zz.1235k.com/?XQS10.83

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z4.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 18 May 2017 00:51:01 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Thu, 16 Apr 2015 02:22:34 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /core.php?web_id=1257758218&show=pic1&t=z HTTP/1.1

Accept: */*

Referer: hXXp://zz.1235k.com/?XQS10.83

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 766

Connection: keep-alive

Date: Thu, 18 May 2017 00:41:56 GMT

Last-Modified: Thu, 18 May 2017 00:41:56 GMT

Expires: Thu, 18 May 2017 00:56:56 GMT

Via: cache19.l2et2-1[0,200-0,H], cache7.l2et2-1[0,0], kunlun8.cn74[0,200-0,H], kunlun4.cn74[0,0]

Age: 545

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Thu, 18 May 2017 00:43:58 GMT

X-Swift-CacheTime: 778

Timing-Allow-Origin: *

EagleId: deba319d14950686615844911e
!function(){var p,q,r,a=encodeURIComponent,b="1257758218",c="pic1",d="
",e="online_v3.php",f="z4.cnzz.com",g="1",h="pic",i="z",j="站
8271;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:
",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push(
"h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===
m&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k[
"createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/web
site.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.
cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j
 "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):
p="<a href='" q "' target=_blank title='" j "'>" j "</a>",
k["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Ty
pe: application/javascript..Content-Length: 766..Connection: keep-aliv
e..Date: Thu, 18 May 2017 00:41:56 GMT..Last-Modified: Thu, 18 May 201
7 00:41:56 GMT..Expires: Thu, 18 May 2017 00:56:56 GMT..Via: cache19.l
2et2-1[0,200-0,H], cache7.l2et2-1[0,0], kunlun8.cn74[0,200-0,H], kunlu
n4.cn74[0,0]..Age: 545..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-S
aveTime: Thu, 18 May 2017 00:43:58 GMT..X-Swift-CacheTime: 778..Timing
-Allow-Origin: *..EagleId: deba319d14950686615844911e..!function(){var
 p,q,r,a=encodeURIComponent,b="1257758218",c="pic1",d="",e="online_v3.
php",f="z4.cnzz.com",g="1",h="pic",i="z",j="站长统&#
35745;",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="1",n=l<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3700:

.text

h.idata

H.rsrc

VCX.XA

t%SVh

FSShG

t$(SSh

~%UVW

u$SShe

K(.wS

ole32.dll

ntdll.dll

oleaut32.dll

advapi32.dll

Advapi32.dll

kernel32.dll

Kernel32.dll

user32.dll

KERNEL32.DLL

sqlite3

sql.dll

RegOpenKeyA

RegEnumKeyExA

RegCloseKey

CreateIoCompletionPort

sqlite3_last_insert_rowid

sqlite3_changes

sqlite3_errmsg

sqlite3_errcode

sqlite3_prepare_v2

sqlite3_step

sqlite3_reset

sqlite3_bind_int64

sqlite3_bind_int

sqlite3_bind_double

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_null

sqlite3_bind_parameter_count

sqlite3_bind_parameter_name

sqlite3_bind_parameter_index

sqlite3_clear_bindings

sqlite3_column_count

sqlite3_column_name

sqlite3_sql

sqlite3_column_text

sqlite3_column_bytes

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_double

sqlite3_column_blob

sqlite3_finalize

sqlite3_busy_timeout

sqlite3_close

sqlite3_free

sqlite3_rekey

sqlite3_open_v2

sqlite3_key

sqlite3_libversion

sqlite3_exec

sqlite3_interrupt

{18C0788E-59AE-4112-B452-6BF0C1B727FB}

{86AB1D8A-7995-4D86-AE5F-18710759228B}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

\AppData\AppConfig.ini

hXXps://apisoft.df0535.com/Dfgapi/grouplink.html?id=

hXXp://apisoft.df0535.com/Dfgapi/grouplink.html?id=

data.name

data.url

WinHttp.WinHttpRequest.5.1

application/x-www-form-urlencoded

MSScriptControl.ScriptControl

function get__key(o) {

a.push(i);

//return JSON.stringify(jsonobj);

if (Object.prototype.toString.apply(O) === '[object Array]') {

for (var i = 0; i < O.length; i  )

S.push(O2String(O[i]));

J = '['   S.join(',')   ']';

else if (Object.prototype.toString.apply(O) === '[object String]') {

J = '"'   O.replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n")   '"';

else if (Object.prototype.toString.apply(O) === '[object Number]') {

else if (Object.prototype.toString.apply(O) === '[object Date]') {

J = "new Date("   O.getTime()   ")";

else if (Object.prototype.toString.apply(O) === '[object RegExp]' || Object.prototype.toString.apply(O) === '[object Function]') {

J = O.toString();

else if (Object.prototype.toString.apply(O) === '[object Object]') {

t = typeof (O[i]) == 'string' ? '"'   O[i].replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n")   '"' : (typeof (O[i]) === 'object' ? O2String(O[i]) : O[i]);

S.push('\"'  i  '\"'   ':'   t);

J = '{'   S.join(',')   '}';

","__InvalidPassword":"

","__OLD_PASSWORD_WRONG":"

","__API_KEY_WRONG":"

[/dfgmsg][dfgcolor]

[dfgmsg]

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko QQBrowser/8.1.3700.400

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

hXXps://ssl.ptlogin2.qq.com/login?u=

pass='

\AppData\wwwlist.txt

1970-01-01 08:00:00

T@\*.dfg

cmd /c regsvr32 msscript.ocx jscript.dll vbscript.dll /s

\AppLink\sql.dll

`.rdata

@.data

.rsrc

@.reloc

f;P.sC

W.RPj9

.FGy#

u u

tCPh

 ] ;^ }6

f;A.sK

.6.78.9:;

B.CDEFFG

large file support is disabled

unknown operation

SQL logic error or missing database

rekey

hexrekey

hexkey

foreign_keys

foreign_key_list

foreign_key_check

defer_foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_crypt

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat4

sqlite_stat3

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

FOREIGN KEY

GetProcessHeap

RowKey

3.8.8.3

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

@failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

Adelayed %dms for lock/sharing conflict

sqlite_user

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SQLITE_

os_win.c:%d: (%lu) %s(%s) - %s

%s%c%s

%s(%d)

%s prohibited in partial index WHERE clauses

%s prohibited in CHECK constraints

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

%s cannot use variables

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

DELETE FROM %Q.%s WHERE %s=%Q

sqlite_stat%d

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch - "%w" referencing "%w"

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite3_get_table() called with two or more incompatible queries

table %s: xBestIndex returned an invalid plan

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

FROM '%q'.'%q%s' AS x

,%s(x.'c%d%q')

,%s(?)

unknown tokenizer: %s

unrecognized matchinfo request: %c

>@SQLite format 3

FOREIGN KEY constraint failed

hex literal too big: %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

duplicate WITH table name: %s

error during initialization: %s

no entry point [%s] in shared library [%s]

sqlite3_

unable to open shared library [%s]

%s.%s

sqlite3_extension_init

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

recursive reference in a subquery: %s

multiple recursive references: %s

table %s has %d values for %d columns

circular reference: %s

multiple references to recursive table: %s

SCAN TABLE %s%s%s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

sqlite_master

sqlite_temp_master

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

%s.xBestIndex() malfunction

%s-shm

unable to use function %s in the requested context

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

%s.rowid

no such collation sequence: %s

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

column%d

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

automatic extension loading failed: %s

illegal first argument to %s

%s {%s}

d-d-d d:d:d

d:d:d

d-d-d

view %s is circularly defined

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

zeroblob(%d)

ANY(%s)

VIRTUAL TABLE INDEX %d:%s

USING INTEGER PRIMARY KEY

INDEX %s

COVERING INDEX %s

PRIMARY KEY

AS %s

TABLE %s

SUBQUERY %d

?API call with %s database connection pointer

cannot limit WAL size: %s

2nd reference to page %d

invalid page number %d

automatic index on %s(%s)

database corruption at line %d of [%.10s]

recovered %d frames from WAL file %s

bind on a busy prepared statement: [%s]

%s - %s

malformed database schema (%s)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

recovered %d pages from %s

unknown database: %s

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

at most %d tables in a join

unknown database %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

database %s is locked

cannot detach database %s

no such database: %s

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

SELECT %s WHERE rowid = ?

INSERT INTO %Q.'%q_content' VALUES(%s)

SELECT %s WHERE rowid=?

CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_content'(%s)

%z, 'c%d%q'

docid INTEGER PRIMARY KEY

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

no such table column: %s.%s

malformed MATCH expression: [%s]

FTS expression tree is too large (maximum depth %d)

statement aborts at %d: [%s] %s

abort at %d in [%s]: %s

%s constraint failed

%s constraint failed: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

unsupported encoding: %s

NULL value in %s.%s

*** in database %s ***

no such table: %s

%s.%s.%s

too many references to "%s": max 65535

sqlite_sq_%p

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open value of type %s

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open table without rowid: %s

cannot open virtual table: %s

indexed

foreign key

EXECUTE %s%s SUBQUERY %d

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

cannot create a TEMP index on non-TEMP table "%s"

PRAGMA %Q.page_size

SELECT 1 FROM %Q.sqlite_master WHERE tbl_name='%q_stat'

%s_segments

SELECT stat FROM %Q.sqlite_stat1 WHERE tbl = '%q_rowid'

CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))

SELECT pw=sqlite_crypt(?1,pw), isAdmin FROM "%w".sqlite_user WHERE uname=?2

INSERT INTO sqlite_user(uname,isAdmin,pw) VALUES(%Q,%d,sqlite_crypt(?1,NULL))

CREATE TABLE sqlite_user(

uname TEXT PRIMARY KEY,

UPDATE sqlite_user SET isAdmin=%d, pw=sqlite_crypt(?1,NULL) WHERE uname=%Q

DELETE FROM sqlite_user WHERE uname=%Q

unable to open database: %s

Invalid key value

database %s is already in use

too many attached databases - max %d

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

PRIMARY KEY missing on table %s

SELECT %s

%d %d %d %d

misuse of aggregate: %s()

no such column: %s

SELECT %s ORDER BY rowid %s

%d values for %d columns

table %S has %d columns but %d values were supplied

table %S has no column named %s

-- TRIGGER %s

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

missing %s parameter in fts4 constructor

error parsing prefix parameter: %s

unrecognized order: %s

unrecognized matchinfo: %s

unrecognized parameter: %s

notindexed

%s, %s

CREATE TABLE x(%s

porter

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%S#[k

?#%X.y

GetProcessWindowStation

KERNEL32.dll

GetCPInfo

sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_backup_finish

sqlite3_backup_init

sqlite3_backup_pagecount

sqlite3_backup_remaining

sqlite3_backup_step

sqlite3_bind_blob64

sqlite3_bind_text16

sqlite3_bind_text64

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_reopen

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_cancel_auto_extension

sqlite3_close_v2

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_database_name

sqlite3_column_database_name16

sqlite3_column_decltype

sqlite3_column_decltype16

sqlite3_column_name16

sqlite3_column_origin_name

sqlite3_column_origin_name16

sqlite3_column_table_name

sqlite3_column_table_name16

sqlite3_column_text16

sqlite3_column_type

sqlite3_column_value

sqlite3_commit_hook

sqlite3_compileoption_get

sqlite3_compileoption_used

sqlite3_complete

sqlite3_complete16

sqlite3_config

sqlite3_context_db_handle

sqlite3_create_collation

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_function_v2

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_data_count

sqlite3_db_config

sqlite3_db_filename

sqlite3_db_handle

sqlite3_db_mutex

sqlite3_db_readonly

sqlite3_db_release_memory

sqlite3_db_status

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_shared_cache

sqlite3_errmsg16

sqlite3_errstr

sqlite3_expired

sqlite3_extended_errcode

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_free_table

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_get_table

sqlite3_global_recover

sqlite3_initialize

sqlite3_key_v2

sqlite3_libversion_number

sqlite3_limit

sqlite3_load_extension

sqlite3_log

sqlite3_malloc

sqlite3_malloc64

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_mprintf

sqlite3_msize

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_leave

sqlite3_mutex_try

sqlite3_next_stmt

sqlite3_open

sqlite3_open16

sqlite3_os_end

sqlite3_os_init

sqlite3_overload_function

sqlite3_prepare

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_progress_handler

sqlite3_randomness

sqlite3_realloc

sqlite3_realloc64

sqlite3_rekey_v2

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_blob64

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_text64

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_rtree_geometry_callback

sqlite3_rtree_query_callback

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_shutdown

sqlite3_sleep

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_soft_heap_limit64

sqlite3_sourceid

sqlite3_status

sqlite3_stmt_busy

sqlite3_stmt_readonly

sqlite3_stmt_status

sqlite3_strglob

sqlite3_stricmp

sqlite3_strnicmp

sqlite3_table_column_metadata

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_total_changes

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_uri_boolean

sqlite3_uri_int64

sqlite3_uri_parameter

sqlite3_user_add

sqlite3_user_authenticate

sqlite3_user_change

sqlite3_user_data

sqlite3_user_delete

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_type

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_vsnprintf

sqlite3_vtab_config

sqlite3_vtab_on_conflict

sqlite3_wal_autocheckpoint

sqlite3_wal_checkpoint

sqlite3_wal_checkpoint_v2

sqlite3_wal_hook

sqlite3_win32_is_nt

sqlite3_win32_mbcs_to_utf8

sqlite3_win32_set_directory

sqlite3_win32_sleep

sqlite3_win32_utf8_to_mbcs

sqlite3_win32_write_debug

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3(4-424<4]4

7 8$8(8,8

< =2=9=[=

5"5(575=5

3 3$3(3,3034383

;!;);2;|;

6v7X7i7r7

3!4&454:4

=4>&?\?~?

3 3$3(3,3034383<3

9#9)92999[9

7 <$<(<,<0<

X:\:`:d:h:l:p:t:x:|:

\AppData\QS.db

select * from sqlite_master where tbl_name='data'

hXXp://zz.1235k.com/?XQS

hXXp://VVV.52dfg.com/forum-40-1.html?XQS

hXXp://VVV.52dfg.com

\AppData\wwblist.txt

\AppData\qblist.txt

\AppData\qwlist.txt

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

_yhXXps://apisoft.df0535.com/Dfgapi/softmark?mark=

hXXp://apisoft.df0535.com/Dfgapi/softmark?mark=

data.mark

data.version

data.log

data.remark

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

114.114.114.114,114.114.115.115

return'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g,function(c){

var r=Math.random()*16|0,v=c=='x'?r:(r&0x3|0x8);

return v.toString(16);

}).toUpperCase();

@%y/%m/%d

%y-%m-%d

g@\Error.log

\QQDATA.ini

\QQDATA.ini.bak

QQ,pass,config

hXXp://VVV.52dfg.com/dfg/nvwnuqy2.gif

hXXp://VVV.52dfg.com/dfg/yxj.gif

hXXps://apisoft.df0535.com/Dfgapi/admanage.html

hXXp://apisoft.df0535.com/Dfgapi/admanage.html

].name

].content

].imgurl

].url

].msg

hXXp://

hXXps://

qq.com

dfg.dat

operatea

skey

hXXp://vipfunc.qq.com/common/user.php?callback=showGrowInfoPanel&data=grow_value&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?callback=jQuery

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&rand=0.

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=53284&rand=0.

data.op.sign.gift.f_actid

data.op.sign.gift.f_name

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=

hXXp://mc.vip.qq.com/supergrowth/index?_nav_alpha=0&_wv=3

data.iLastDepositEnergy

hXXp://cgi.vip.qq.com/svipgrowth/updatedepositInfo?g_tk=

hXXp://cgi.vip.qq.com/svipgrowth/withdrawGrowth?g_tk=

hXXp://mc.vip.qq.com/supergrowth/index?_nav_alpha=0&_wv=3

hXXps://ssl.

ptlogin2.qq.com/pt4_auth?daid=50&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://baobao.qq.com/act/gamepet/

hXXp://cgi.baobao.qq.com/cgi-bin/pets_get_carried

pet.seq

hXXp://cgi.baobao.qq.com/cgi-bin/pets_takeoff

cmd=2&from=baobao

hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup_info

hXXp://cgi.baobao.qq.com/cgi-bin/pets_list

.avatarid

.life

300007156

hXXp://cgi.baobao.qq.com/cgi-bin/pets_takeon

hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup

ptlogin2.qq.com/pt4_auth?daid=173&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://bbly.qq.com/

cmd=22&petID=

hXXp://cgi.bbly.qq.com/cgi-bin/PetHome?

a.push(b,c,d,e,f,g);

a.push(b,c,d,e,f);

function ptui_qlogin_CB(b,c,d)

a.push(b,c,d);

a.push(b,c);

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400)

https

ptlogin2.qq.com/pt4_auth?daid=176&appid=21000110&auth_token=

®master=&aid=21000110&s_url=http://gamevip.qq.com/

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_sign/GameVip_SignIn?callback=jQuery

SignDay.day

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_sign/GameVip_Lottery?callback=jQuery

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_m_sign/GameVip_m_SignIn?_

hXXp://iyouxi.vip.qq.com/json.php?mod=game&func=award&uin=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&isLoadUserInfo=1&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=

data.op.name

hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&callback=jQuery

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000124&auth_token=

®master=&aid=21000124&s_url=http://xinyue.qq.com/comm-htdocs/login/logincallback.htm

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue

flowRet.sMsg

hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=

data.add

p_skey

hXXp://flower.qzone.qq.com/fcg-bin/cgi_plant?g_tk=

&newflower=1&outCharset=utf-8&g_tk=

X-Requested-With: ShockwaveFlash/18.0.0.203

Referer: hXXp://ctc.qzs.qq.com/qzone/flower/flash/Flower3.swf?mode=0

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

(@msglist[0].tid

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

/mood/

.1&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/311&opuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_unlike_app?g_tk=

hXXp://flower.qzone.qq.com/cgi-bin/cgi_pickup_oldfruit?g_tk=

&outCharset=utf-8&fupdate=1&format=json

mode=1&g_tk=

data.count

hXXp://flower.qzone.qq.com/cgi-bin/cgi_show_userprop?p=0.

data.prop[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_exchange_prop?g_tk=

&qzreferrer=http://rc.qzone.qq.com/appstore/dailycoupon?from=appstore.myInfoBoxBtn&fupdate=1

qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&op_uin=

frameElement.callback(

hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_mallprop?g_tk=

qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&propid=7&op_uin=

hXXp://flower.qzone.qq.com/cgi-bin/fg_get_giftpkg?&g_tk=

Referer: hXXp://ctc.qzs.qq.com/qzone/client/photo/swf/RareFlower/FlowerVineLite.swf

data.vDailyGiftpkg

].granttime

data.vDailyGiftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/fg_use_giftpkg?g_tk=

giftpkgid=

data.usedgiftpkg[0].caption

data.usedgiftpkg[0].content

data.vSeriesLoginGiftpkg

data.vSeriesLoginGiftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_get_giftpkg?uin=

data.giftpkg

data.giftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_giftpkg?g_tk=

qzreferrer=http://qzs.qq.com/qzone/flower/giftPack.html&hottag=receive&giftpkgid=

data.giftpkg[0].caption

data.giftpkg[0].content

ptlogin2.qq.com/pt4_auth?daid=5&appid=549000912&auth_token=

®master=&aid=549000912&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

hXXp://user.qzone.qq.com/

&pvsrc=102&s_p=1|http|&s_v=0&ozid=511022&vipid=&actid=133339&sid=&cache=3654

hXXps://iyouxi3.vip.qq.com/ams3.0.php?g_tk=

hXXps://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=

Referer: hXXps://i.qianbao.qq.com/wallet/recharge/dist/m/index_v4.html?_wv=1031&noTab=1&tab=fee&payChannel=task_activity&source=sng_308803&taskPlugin=1&pvsrc=311&bottom=50

User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; zh-cn; Lan998 Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 V1_AND_SQ_5.2.1_183_YYB_D QQ/5.2.1.2305 NetType/WIFI

['10752'].ret

&data={"10975":{"sIn":{"uin":0}}}&pt4_token=

['10975'].ret

['10975'].data.sOut.continueDays

&pvsrc=102&s_p=1|http|&s_v=0&ozid=511022&vipid=&actid=168877&_record_def_gift=true&cache=3654

data.op.diamonds

hXXp://fight.pet.qq.com/cgi-bin/petpk?cmd=award&op=1&type=0

ContinueLogin

ptlogin2.qq.com/pt4_auth?daid=49&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://meigui.qq.com/

hXXp://cgi.meigui.qq.com/cgi-bin/rosary_activity_oper?gprand=0.

request=2&cmd=15&cgiVersion=36&paytype=1&benew0908=1

hXXp://fcg.3366.com/fcg-bin/growinfo/mgp_growinfo_signin?&_r=

hXXp://appstore.qzone.qq.com/cgi-bin/comm/appstore_qq_icon?uin=

hXXp://appact.qzone.qq.com/appstore_activity_appinner_fusionapi?uin=

hXXp://activity.qzone.qq.com/fcg-bin/appstore_activity_daily_signing?g_tk=

data.signing_reward

].status

data.signing_reward[

].signing_day

].rand_reward_desc

].extra_score

hXXp://activity.qzone.qq.com/fcg-bin/appstore_activity_daily_signing?uin=

data.extra_score

data.result

data.reward_name

hXXp://appact.qzone.qq.com/appstore_activity_new_userinfo?uin=

hXXp://appact.qzone.qq.com/appstore_activity_daily_lottery?uin=

&canvastype=&from=appstore.myInfoBoxBtn&uin=

&pfid=2&qz_ver=8&appcanvas=0&qz_style=31¶ms=dailycoupon&entertime=

qzreferrer=http://appstore.qzone.qq.com/cgi-bin/qzapps/qz_appstore_home_v4?uin=

hXXp://h5.qzone.qq.com/vipinfo/index?plg_nld=1&source=qqmail&plg_auth=1&plg_uin=1&_wv=3&plg_dev=1&plg_nld=1&aid=jh&_bid=368&plg_usr=1&plg_vkey=1&pt_qzone_sig=1

window.shine0callback =

hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=0.

&low_login=1&uin=

hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_

result.msg

result.code

&skey=

hXXp://p.guanjia.qq.com/bin/user/qrycheckin.php?op=checkin&emotionId=86&Uin=

Referer: hXXp://s.pcmgr.qq.com/user_v2/inc/sign.html

&tmcost=0&frequency=1&key=appid,commandid,resultcode&1_1=1000417&1_2=h5/sign_in&1_3=0&rv=0.0

hXXps://h5.qzone.qq.com/wspeed.qq.com/w.cgi?releaseversion=null&touin=

hXXps://h5.weiyun.com/sign_in

hXXp://account.book.qq.com/usercenter/index.html

hXXp://account.book.qq.com

X-Requested-With: XMLHttpRequest

Referer: hXXp://account.book.qq.com/usercenter/index.html

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

hXXp://account.book.qq.com/usercenter/signin.html

hXXp://snsapp.qzone.qq.com/cgi-bin/signin/checkin_cgi_read?version=1&more_info_length=10&is_need_rank=1&plattype=1&r=0.

Referer: hXXp://ctc.qzs.qq.com/qzone/app/checkin_v4/html/checkin.html

data.seal_info.seal_info['23'][5].post_proxy

data.seal_info.seal_info['23'][5].id

hXXp://login.52dfg.com/xinxi/shuoshuo/getss.php?type=

hXXp://snsapp.qzone.qq.com/cgi-bin/signin/checkin_cgi_publish?g_tk=

qzreferrer=http://ctc.qzs.qq.com/qzone/app/checkin_v4/html/checkin.html#id=0&groupId=0&nofeeds=0&ref=checkin_button&to=ICONVIEW&plattype=1&hostuin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=2&uin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=1&uin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=3&uin=

].lotteryid

].lotteryitemname

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=

data.alreadysend

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_get_present.fcg?activeid=73&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=128&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=130&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=138&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

&plat=1&version=6.6.6¶m={"key0":{"param":{"bid":13792605},"module":"reader_comment_read_svr","method":"GetReadAllEndPageMsg"}}

hXXps://reader.sh.vip.qq.com/cgi-bin/common_async_cgi?g_tk=

hXXp://i.browser.qq.com

hXXp://i.browser.qq.com/all_data_query?guid=

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.1836.400 QQBrowser/9.5.9947.400

static_data.task_list

].interface

static_data.task_list[

].title

].score

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc

modRet.ret

modRet.msg

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=

flowRet.iRet

modRet.sMsg

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000501&auth_token=

®master=&aid=21000501&s_url=http://daoju.qq.com/mall/index.shtml

hXXp://igame.qq.com/interface/fn/index.php?logicname=c_igamesign_setHonorNotice&gid=

ptlogin2.qq.com/pt4_auth?daid=37&appid=563027201&auth_token=

®master=&aid=563027201&s_url=http://igame.qq.com/center/index.php

hXXp://igame.qq.com/center/index.php

hXXp://qun.qq.com/cgi-bin/qun_mgr/get_group_list

join

join[

hXXp://qzonestyle.gtimg.cn/qzone/qzactStatics/configSystem/data/210/config2.js?r=0.

].goodsWord

].quantity

].packageID

].giftID

&client=2&version=6.6.2.408

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/draw_lucky_gift

&version=iOS6.6.2.408&_r=

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/send_goods

hXXp://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/get_gift_free_num?channel=3&from=0&gc=

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/gain_give_stock?bkn=

hXXp://cgi.vip.qq.com/online/set?p_tk=&g_tk_type=1&g_tk=

hXXp://1.game.qq.com/app/sign?start=

jData.signInfo.msg

jData.signInfo.ret

hXXp://x.pet.qq.com/petgrow?cmd=Random&callback=jQuery

hXXp://x.pet.qq.com/toolbarsign?cmd=Sign&callback=jQuery

hXXp://x.pet.qq.com/toolbarsign?cmd=Gift&callback=jQuery

hXXps://novelsns.html5.qq.com/ajax?m=task&type=sign&aid=20&t=

; Q-H5-SKEY=

Referer: hXXps://bookshelf.html5.qq.com/discovery.html

User-Agent: Mozilla/5.0 (Linux; U; Android 6.0.1; zh-cn; OPPO R9s Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko)Version/4.0 Chrome/37.0.0.0 MQQBrowser/7.4 Mobile Safari/537.36

hXXps://novelsns.html5.qq.com/ajax?m=shareSignPageObtainBeans&aid=20&t=

hXXps://h5.qzone.qq.com/proxy/domain/activity.qzone.qq.com/fcg-bin/fcg_huangzuan_daily_signing?t=0.

hXXp://sweet.snsapp.qq.com/

hXXp://sweet.snsapp.qq.com/v2/cgi-bin/sweet_signlove_get?cmd=1&startts=

hXXp://sweet.snsapp.qq.com/v2/cgi-bin/sweet_signlove_share?g_tk=

&plat=0&qzreferrer=http://sweet.snsapp.qq.com/#module=main

.jpg?","height":"240","width":"245"}]&opuin=

cmd=0&outputformat=2&content=#çˆ±çš„ç¾åˆ°#é€ä½ çˆ±çš„å°å¡~&richval=[{"type":"image","url":"http://imgcache.qq.com/qqshow/admindata/comdata/qldata_common_data/2014-

tencent.mobile.qq.csrfauth

hXXp://play.mobile.qq.com/pansocial/cgi/checkin/checkInAction?actionType=0&token=

Referer: hXXp://play.mobile.qq.com/play/mqqplay/keepsign/index.html?_wv=1027&_bid=2344

&number=0&path=489&plat=qq&gamecenter=1&_wv=1031&_proxy=1&gc_version=2&ADTAG=gamecenter¬ShowPub=1¶m={"0":{"param":{"platform":1,"tt":1},"module":"gc_my_tab","method":"sign_in"}}&_=

hXXp://info.gamecenter.qq.com/cgi-bin/gc_my_tab_async_fcgi?merge=1&ver=0&st=

data['0'].retBody.data.cur_continue_sign

data['0'].retBody.data.coin_num

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=2&taskid=[]&otype=json&g_tk=

]['27'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&otype=json&taskid=27&platform=2&_=

]['27'].signInfo

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=8&taskid=[]&otype=json&g_tk=

]['22'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&otype=json&taskid=22&platform=1&_=

]['22'].signInfo

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=5&taskid=[]&otype=json&g_tk=

]['24'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&flag=1&otype=json&taskid=24&platform=3&_=

]['24'].signInfo

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_index?sid=c&g_ut=2&signin=1

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_freegift_recv?sid=c&g_ut=2&fg_recv=1

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_harvest?sid=c&B_UID=0&place=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23&g_ut=2&time=-2147483648

hXXp://mcapp.z.qq.com/mc/cgi-bin/wap_pasture_index?sid=c&g_ut=2&signin=1&yellow=1&optflag=2&pid=0&v=1

hXXp://mcapp.z.qq.com/mc/cgi-bin/wap_pasture_harvest?sid=c&g_ut=2&serial=-1&htype=3

Referer: hXXp://wenwen.sogou.com/cate/home

hXXp://wenwen.sogou.com/submit/ms/signin?groupUin=undefined

ptlogin2.qq.com/pt4_auth?daid=210&appid=6000201&auth_token=

®master=&aid=6000201&s_url=http://wenwen.sogou.com/login/popLogin

hXXp://wenwen.sogou.com/login/popLogin

hXXp://wenwen.sogou.com/wapi/qun/red-dot?groupUin=

hXXp://wenwen.sogou.com/submit/qun/signin?groupUin=

&ch=qun.quan.switch.1.pc

Referer: hXXp://wenwen.sogou.com/qunapp/index/?groupUin=

hXXps://qs.888.qq.com/m_qq/mqq2.local.html?vb2ctag=4_2114_3_4639&_wv=1&lh=1

hXXps://qs.888.qq.com/node_export/?d=activity&c=sign&m=getQQSvipPresent&ajax=true&cms_where=1366&vb2ctag=4_2114_3_4639&bc_web=2009927510&reportUin=

Referer: hXXps://qs.888.qq.com/m_qq/mqq2.local.html?vb2ctag=4_2114_3_4639&_wv=1&lh=1&lh=1

&client=1&version=qqreader_1.0.669.0001_android_qqplugin&channel=00000&_bid=2036&ChannelID=100020&plat=1&qqVersion=0&_from=sign_index&_=

hXXps://reader.sh.vip.qq.com/cgi-bin/reader_page_csrf_cgi?merge=2&ditch=100020&cfrom=account¤t=sign_index&tf=2&sid=

param={"0":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"UserTodaySign"},"1":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"GetSignGifts"}}

data['0'].retCode

data['0'].retBody.data.isSignNow

data['0'].retBody.data.lastDays

].awardType

data['0'].retBody.data.awards[

].awardNum

hXXp://reader.sh.vip.qq.com/cgi-bin/reader_page_csrf_cgi?merge=1&ditch=100020&cfrom=account¤t=sign_index&tf=2&sid=

param={"0":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"GrantBigGift"}}

data['0'].retBody.data.newlyGift.giftName

data['0'].retBody.data.newlyGift.giftNum

hXXp://comic.vip.qq.com/cgi-bin/coupon_coin?merge=1&pageVersion=288192_online&platId=109&version=1&_=

}}

param={"0":{"param":{"tt":0},"module":"comic_sign_in_svr","method":"SignIn","timestamp":

data['0'].retBody.data.ret

data['0'].retBody.data.singedDayOfMonth

&actid=105321&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104360&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104364&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104365&merge=1&plat=1&qqVersion=6.6.9.3060&_=

D@hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page?neednum=40&startnum=

result.followbars

].bid

result.followbars[

hXXp://buluo.qq.com/cgi-bin/bar/user/sign

result.add_credits

hXXp://qiandao.qun.qq.com/cgi-bin/sign

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000115&auth_token=

®master=&aid=21000115&s_url=http://lz.qq.com/comm-htdocs/milo_mobile/login.html?s_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2Findex.html%3FADTAG%3Dwx.message&sData=&logo=

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=54614&sServiceDepartment=newterminals&set_info=newterminals&_=

&e_code=0&g_code=0&eas_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2F&eas_refer=http%3A%2F%2Flz.qq.com%2Fcomm-htdocs%2Fmilo_mobile%2Flogin.html&sServiceDepartment=group_h&sServiceType=qqgame

&e_code=0&g_code=0&eas_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2F&eas_refer=http%3A%2F%2Flz.qq.com%2Fcomm-htdocs%2Fmilo_mobile%2Flogin.html&sServiceDepartment=group_h

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=qqgame&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=54614&iFlowId=324759&g_tk=

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=2000013&g_tk=

TASK.RET

TASK.RESULT.level

hXXp://king.qq.com/lb.html

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=3000013&g_tk=

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=5000013&g_tk=

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

.jysnd.com

hXXp://api

version.dll

msimg32.dll

usp10.dll

winmm.dll

*.txt

|*.txt

hXXp://VVV.sz789.net/reg.aspx

hXXp://VVV.gsdati.com/index.php/Index/Index/register

hXXp://VVV.zhima365.com/userreg.php

hXXp://VVV.ruokuai.com/home/register

hXXp://VVV.killma.com/register.php

[/dfgmsg]

.toString()

.splice(

.push('

.push(

.push(eval(

get__key(

select name as title from sqlite_master where type='table'

select name as title from sqlite_master where type='table' and name not like('sqlite%')

SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND tbl_name='

PRIMARY KEY

ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self

pt_login_sig

hXXp://check.

&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&r=0.

&js_type=1&login_sig=

ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

captcha.qq.com/cap_union_new_gettype?aid=710032918&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=

captcha.qq.com/cap_union_new_show?aid=710032918&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

/cap_union_new_getcapbysig?aid=710032918&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

websig:"

&pt_randsalt=0&ptredirect=0&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=

ptlogin2.qq.com/login?u=

captcha.qq.com/cap_union_new_verify?random=

&websig=

aid=710032918&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

aq.qq.com

while (z   aD < aC.length) {

t  = aC.substring(z, z   aD)   "\n";

return t   aC.substring(z, aC.length)

return "0"   t.toString(16)

return t.toString(16)

if (aG < aD.length   11) {

var aC = aD.length - 1;

var aE = aD.charCodeAt(aC--);

z.nextBytes(t)

this.dmp1 = null;

this.dmq1 = null;

this.coeff = null

if (z != null && t != null && z.length > 0 && t.length > 0) {

uv_alert("Invalid RSA public key")

return t.modPowInt(this.e, this.n)

var t = ah(aC, (this.n.bitLength()   7) >> 3);

var aD = this.doPublic(t);

var z = aD.toString(16);

if ((z.length & 1) == 0) {

N.prototype.doPublic = Y;

N.prototype.setPublic = q;

N.prototype.encrypt = r;

this.fromNumber(z, t, aC)

this.fromString(z, 256)

this.fromString(z, t)

aG = Math.floor(aC / 67108864);

au.prototype.am = aA;

au.prototype.DB = ay;

au.prototype.DM = ((1 << ay) - 1);

au.prototype.DV = (1 << ay);

au.prototype.FV = Math.pow(2, ac);

au.prototype.F1 = ac - ay;

au.prototype.F2 = 2 * ay - ac;

ar = "0".charCodeAt(0);

ar = "a".charCodeAt(0);

ar = "A".charCodeAt(0);

return ag.charAt(t)

var aC = ai[z.charCodeAt(t)];

z.fromInt(t);

this.fromRadix(aG, z);

var aF = aG.length,

if (aG.charAt(aF) == "-") {

if (aE   aD > this.DB) {

this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;

this[this.t  ] = (t >> (this.DB - aE))

if (aE >= this.DB) {

aE -= this.DB

this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE

this.clamp();

au.ZERO.subTo(this, this)

var t = this.s & this.DM;

return "-"   this.negate().toString(z)

return this.toRadix(z)

var aG = this.DB - (aD * this.DB) % aC;

if (aG < this.DB && (aH = this[aD] >> aG) > 0) {

aH |= this[--aD] >> (aG  = this.DB - aC)

aG  = this.DB; --aD

au.ZERO.subTo(this, t);

return (this.s < 0) ? this.negate() : this

return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))

z.t = Math.max(this.t - aC, 0);

var z = aH % this.DB;

var t = this.DB - z;

var aE = Math.floor(aH / this.DB),

aG = (this.s << z) & this.DM,

aD.clamp()

var aE = Math.floor(aG / this.DB);

var z = aG % this.DB;

t = Math.min(z.t, this.t);

aD[aC  ] = aE & this.DM;

aE >>= this.DB

aD[aC  ] = aE & this.DM;

aE >>= this.DB

aD[aC  ] = this.DV   aE

var t = this.abs(),

aE = z.abs();

aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)

aD.clamp();

au.ZERO.subTo(aD, aD)

var t = this.abs();

var aD = t.am(z, t[z], aC, 2 * z, 0, 1);

if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {

aC[z   t.t] -= t.DV;

aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)

aC.clamp()

var aQ = aK.abs();

var aI = this.abs();

aH.fromInt(0)

this.copyTo(aG)

var aP = this.DB - l(aQ[aQ.t - 1]);

aQ.lShiftTo(aP, aE);

aI.lShiftTo(aP, aG)

aQ.copyTo(aE);

aI.copyTo(aG)

var aT = this.FV / aL,

aE.dlShiftTo(aN, aF);

if (aG.compareTo(aF) >= 0) {

aG.subTo(aF, aG)

au.ONE.dlShiftTo(aM, aF);

aF.subTo(aE, aE);

var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);

if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {

aE.dlShiftTo(aN, aF);

aG.subTo(aF, aG);

aG.subTo(aF, aG)

aG.drShiftTo(aM, aH);

au.ZERO.subTo(aH, aH)

aG.clamp();

aG.rShiftTo(aP, aG)

au.ZERO.subTo(aG, aG)

this.abs().divRemTo(t, null, z);

if (this.s < 0 && z.compareTo(au.ZERO) > 0) {

t.subTo(z, z)

if (t.s < 0 || t.compareTo(this.m) >= 0) {

return t.mod(this.m)

t.divRemTo(this.m, null, t)

t.multiplyTo(aC, z);

this.reduce(z)

t.squareTo(z);

M.prototype.convert = X;

M.prototype.revert = am;

M.prototype.reduce = L;

M.prototype.mulTo = J;

M.prototype.sqrTo = aw;

z = (z * (2 - t * z % this.DV)) % this.DV;

return (z > 0) ? this.DV - z: -z

this.mp = t.invDigit();

this.mpl = this.mp & 32767;

this.mph = this.mp >> 15;

this.um = (1 << (t.DB - 15)) - 1;

this.mt2 = 2 * t.t

t.abs().dlShiftTo(this.m.t, z);

z.divRemTo(this.m, null, z);

if (t.s < 0 && z.compareTo(au.ZERO) > 0) {

this.m.subTo(z, z)

t.copyTo(z);

this.reduce(z);

while (t.t <= this.mt2) {

var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;

t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);

while (t[z] >= t.DV) {

t[z] -= t.DV;

t.clamp();

t.drShiftTo(this.m.t, t);

if (t.compareTo(this.m) >= 0) {

t.subTo(this.m, t)

g.prototype.convert = al;

g.prototype.revert = av;

g.prototype.reduce = R;

g.prototype.mulTo = B;

g.prototype.sqrTo = ao;

return au.ONE

aF = aI.convert(this),

aF.copyTo(aG);

aI.sqrTo(aG, aC);

aI.mulTo(aC, aF, aG)

return aI.revert(aG)

if (aC < 256 || t.isEven()) {

return this.exp(aC, aD)

au.prototype.copyTo = aa;

au.prototype.fromInt = p;

au.prototype.fromString = y;

au.prototype.clamp = Q;

au.prototype.dlShiftTo = at;

au.prototype.drShiftTo = Z;

au.prototype.lShiftTo = v;

au.prototype.rShiftTo = n;

au.prototype.subTo = ad;

au.prototype.multiplyTo = F;

au.prototype.squareTo = S;

au.prototype.divRemTo = G;

au.prototype.invDigit = D;

au.prototype.isEven = k;

au.prototype.exp = A;

au.prototype.toString = s;

au.prototype.negate = T;

au.prototype.abs = an;

au.prototype.compareTo = I;

au.prototype.bitLength = w;

au.prototype.mod = P;

au.prototype.modPowInt = ap;

au.ZERO = c(0);

au.ONE = c(1);

d(new Date().getTime())

/*if(navigator.appName=="Netscape"&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){ var H=window.crypto.random(32); for(K=0; K<H.length;   K){ W[ae  ]=H.charCodeAt(K)&255 } }*/

K = Math.floor(65536 * Math.random());

o.init(W);

for (ae = 0; ae < W.length;   ae) {

return o.next()

for (t = 0; t < z.length;   t) {

af.prototype.nextBytes = ax;

z = (z   this.S[aD]   aE[aD % aE.length]) & 255;

m.prototype.init = f;

m.prototype.next = a;

t.setPublic(aC, z);

return t.encrypt(aD)

return Math.round(Math.random() * 4294967295)

for (var B = 0; B < D.length; B  ) {

var C = Number(D[B]).toString(16);

if (C.length == 1) {

for (var A = 0; A < B.length; A  = 2) {

C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))

for (var A = 0; A < C.length; A  ) {

B[A] = C.charCodeAt(A)

var A = C.length;

var A = E.length;

for (var C = 0; C < B.length; C  ) {

var A = u.length;

for (var B = 0; B < E.length; B  ) {

C[B] = E.charCodeAt(B) & 255

for (var B = 0; B < E.length; B  = 2) {

C[A  ] = parseInt(E.substr(B, 2), 16)

for (var B = 0; B < C.length; B  ) {

A  = String.fromCharCode(C[B])

return d.encode(A)

initkey: function(A, B) {

d.PADCHAR = "=";

d.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";

d.getbyte = function(C, B) {

var A = C.charCodeAt(B);

d.encode = function(E) {

if (arguments.length != 1) {

var B = d.PADCHAR;

var G = d.ALPHA;

var F = d.getbyte;

var C = E.length - E.length % 3;

if (E.length == 0) {

A.push(G.charAt(H >> 18));

A.push(G.charAt((H >> 12) & 63));

A.push(G.charAt((H >> 6) & 63));

A.push(G.charAt(H & 63))

switch (E.length - C) {

A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);

A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);

return A.join("")

return binl2hex(core_md5(str2binl(s), s.length * chrsz))

return binl2str(core_md5(str2binl(s), s.length * chrsz))

function hex_hmac_md5(key, data) {

return binl2hex(core_hmac_md5(key, data))

function b64_hmac_md5(key, data) {

return binl2b64(core_hmac_md5(key, data))

function str_hmac_md5(key, data) {

return binl2str(core_hmac_md5(key, data))

for (var i = 0; i < x.length; i  = 16) {

function core_hmac_md5(key, data) {

var bkey = str2binl(key);

if (bkey.length > 16) {

bkey = core_md5(bkey, key.length * chrsz)

ipad[i] = bkey[i] ^ 909522486;

opad[i] = bkey[i] ^ 1549556828

var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);

return core_md5(opad.concat(hash), 512   128)

for (var i = 0; i < str.length * chrsz; i  = chrsz) {

bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)

for (var i = 0; i < bin.length * 32; i  = chrsz) {

str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)

for (var i = 0; i < binarray.length * 4; i  ) {

str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)

for (var i = 0; i < binarray.length * 4; i  = 3) {

if (i * 8   j * 6 > binarray.length * 32) {

str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)

for (var i = 0; i < str.length; i = i   2) {

arr.push("\\x"   str.substr(i, 2))

arr = arr.join("");

if (Math.random() > (probability || 1)) {

var url = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   mid;

var s = document.createElement("img");

s.src = url;

function getEncryption(password, salt, vcode) {

var md5Pwd = md5(password),

rsaH1 = RSA.rsa_encrypt(h1),

rsaH1Len = (rsaH1.length / 2).toString(16),

hexVcode = TEA.strToBytes(vcode.toUpperCase()),

vcodeLen = "000"   vcode.length.toString(16);

while (rsaH1Len.length < 4) {

TEA.initkey(s2);

var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);

TEA.initkey("");

return saltPwd.replace(/[\/\ =]/g,

"/": "-",

" ": "*",

"=": "_"

{pass}

getEncryption("{pass}","{salt}","{code}")

keyvalue

hXXp://captcha.qq.com/cap_union_new_show

hXXp://ui.ptlogin2.qq.com/cgi-bin/login

keyboards

keyUpCnt

keyUpValue

focusBlur.in

focusBlur.out

1920-1080-1040-24-96-96-1

_0xf21cxa["keyvalue"] = [];

var _0xf21cx15 = ["mousemove", "mouseclick", "keyvalue", "user_Agent", "resolutionx", "resolutiony", "url", "refer", "begintime", "endtime", "platform", "os", "keyboards", "flash", "pluginNum", "index", "ptcz", "tokenid"];

_0xf21cx19["cutUrl"] = _0xf21cx45;

_0xf21cx4c["push"]((_0xf21cx5e >>> 4).toString(16));

_0xf21cx4c["push"]((_0xf21cx5e & 15).toString(16))

return _0xf21cx4c["join"]("")

return _0xf21cx53["join"]("")

_0xf21cx54["HmacMD5"] = _0xf21cx57._createHmacHelper(_0xf21cx55)

keySize: 4,

for (var _0xf21cx40 = this["cfg"], _0xf21cx43 = _0xf21cx40["hasher"]["create"](), _0xf21cx58 = _0xf21cx31["create"](), _0xf21cx52 = _0xf21cx58["words"], _0xf21cx5a = _0xf21cx40["keySize"], _0xf21cx40 = _0xf21cx40["iterations"]; _0xf21cx52["length"] < _0xf21cx5a;) {

this["_key"] = _0xf21cx5b;

keySize: 4,

return (_0xf21cx5b ? _0xf21cx43["create"]([1398893684, 1701076831])["concat"](_0xf21cx5b)["concat"](_0xf21cx58) : _0xf21cx58).toString(_0xf21cx55)

key: _0xf21cx5c,

keySize: _0xf21cx58   _0xf21cx5c

key: _0xf21cx5b,

_0xf21cx5c = _0xf21cx53["PasswordBasedCipher"] = _0xf21cx5b["extend"]({

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"]);

_0xf21cx58 = _0xf21cx5b["encrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31);

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"], _0xf21cx5c["salt"]);

return _0xf21cx5b["decrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31)

for (var _0xf21cx5b = this["_key"], _0xf21cx5c = _0xf21cx5b["words"], _0xf21cx53 = _0xf21cx5b["sigBytes"] / 4, _0xf21cx5b = 4 * ((this["_nRounds"] = _0xf21cx53   6)   1), _0xf21cx4c = this["_keySchedule"] = [], _0xf21cx5d = 0; _0xf21cx5d < _0xf21cx5b; _0xf21cx5d  ) {

_0xf21cx5c = this["_invKeySchedule"] = [];

this._doCryptBlock(_0xf21cx5b, _0xf21cx58, this._keySchedule, _0xf21cx54, _0xf21cx55, _0xf21cx56, _0xf21cx57, _0xf21cx31)

this._doCryptBlock(_0xf21cx5b, _0xf21cx5c, this._invKeySchedule, _0xf21cx58, _0xf21cx59, _0xf21cx5a, _0xf21cx5f, _0xf21cx43);

keySize: 8

return this.valueOf()

return isFinite(this.valueOf()) ? this["getUTCFullYear"]()   "-"   _0xf21cx66(this["getUTCMonth"]()   1)   "-"   _0xf21cx66(this["getUTCDate"]())   "T"   _0xf21cx66(this["getUTCHours"]())   ":"   _0xf21cx66(this["getUTCMinutes"]())   ":"   _0xf21cx66(this["getUTCSeconds"]())   "Z": null

return typeof _0xf21cx5c === "string" ? _0xf21cx5c: "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "[]": _0xf21cx75 ? "["   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "]": "["   _0xf21cx7e["join"](",")   "]";

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "{}": _0xf21cx75 ? "{"   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "}": "{"   _0xf21cx7e["join"](",")   "}";

throw new Error("JSON.stringify")

return "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

throw new SyntaxError("JSON.parse")

_0xf21cxb7["push"]("["   _0xf21cx5b   "] "   _0xf21cxb9(_0xf21cx58["message"] && (_0xf21cx58["name"] || "Error")   ": "   _0xf21cx58["message"] || _0xf21cx58.toString()))

var _0xf21cxbe = "Symbol;Arial;Courier New;Times New Roman;Georgia;Trebuchet MS;Verdana;Impact;Comic Sans MS;Webdings;Tahoma;Microsoft Sans Serif;Wingdings;Arial Black;Lucida Console;Marlett;Lucida Sans Unicode;Courier;Franklin Gothic Medium;Palatino Linotype" ["split"](";");

this)["join"](";")

var _0xf21cxc3 = ["ShockwaveFlash.ShockwaveFlash", "AcroPDF.PDF", "PDF.PdfCtrl", "QuickTime.QuickTime", "rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer", "SWCtl.SWCtl", "WMPlayer.OCX", "AgControl.AgControl", "Skype.Detection"];

})["join"](";")

_0xf21cxc6 = _0xf21cxc2 ? _0xf21cxc2["Shockwave Flash"]["description"] : new ActiveXObject("ShockwaveFlash.ShockwaveFlash").GetVariable("$version")["replace"](",", ".")

return !! window["indexedDB"]

_0xf21cx5c["bSupportLocalStorage"] = _0xf21cxc9;

_0xf21cx5c["reportError"] = _0xf21cxb8;

_0xf21cxb6["reportError"]("cIPT", e)

_0xf21cx100["src"] = "hXXps://bsp.qcloud.qq.com/v2/index.php"   _0xf21cx46

_0xf21cxa["keyvalue"]["length"] = _0xf21cxd["length"] = 0

_0xf21cxa["url"] = _0xf21cx49;

_0xf21cxa["keyboards"] = _0xf21cxb;

_0xf21cxa["keyUpCnt"] = _0xf21cxc;

_0xf21cxa["keyUpValue"] = _0xf21cxd;

_0xf21cxa["keyvalue"] = [];

return _0xf21cx30 ? encodeURIComponent(_0xf21cx108.toString()) : "?Action=WebInfo&siteKey="   encodeURIComponent('<$=siteKey%>')   "&content="   encodeURIComponent(_0xf21cx108.toString())

_0xf21cxa["keyvalue"]["push"](_0xf21cxb2)

var _0xf21cx12d = (navigator["platform"] == "Win32") || (navigator["platform"] == "Windows");

var _0xf21cx132 = _0xf21cx12c["indexOf"]("Windows NT 5.0") > -1 || _0xf21cx12c["indexOf"]("Windows 2000") > -1;

var _0xf21cx133 = _0xf21cx12c["indexOf"]("Windows NT 5.1") > -1 || _0xf21cx12c["indexOf"]("Windows XP") > -1;

var _0xf21cx134 = _0xf21cx12c["indexOf"]("Windows NT 5.2") > -1 || _0xf21cx12c["indexOf"]("Windows 2003") > -1;

var _0xf21cx135 = _0xf21cx12c["indexOf"]("Windows NT 6.0") > -1 || _0xf21cx12c["indexOf"]("Windows Vista") > -1;

var _0xf21cx136 = _0xf21cx12c["indexOf"]("Windows NT 6.1") > -1 || _0xf21cx12c["indexOf"]("Windows 7") > -1;

var _0xf21cx13a = /firefox\/[\d.] /gi;

var _0xf21cx13b = /chrome\/[\d.] /gi;

return _0xf21cx138["match"](_0xf21cx139)["join"]("")

if (_0xf21cx138["indexOf"]("firefox") > 0) {

return _0xf21cx138["match"](_0xf21cx13a)["join"]("")

if (_0xf21cx138["indexOf"]("chrome") > 0) {

return _0xf21cx138["match"](_0xf21cx13b)["join"]("")

if (_0xf21cx138["indexOf"]("safari") > 0 && _0xf21cx138["indexOf"]("chrome") < 0) {

return _0xf21cx138["match"](_0xf21cx13c)["join"]("")

var _0xf21cx140 = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

VSwf = _0xf21cx140.GetVariable("$version");

return encodeURIComponent(_0xf21cx108.toString());

var begintime = Math.floor(new Date().getTime() / 1000);

var keyUpCnt = 4;

var tokenid=Math.floor(Math.random()*2067831491 3565063022);

var ip=Math.floor(Math.random()*245 10);

var t1 = Math.floor(new Date().getTime() / 1000);

var endtime = new Date().getTime();

endtime = Math.floor(endtime / 1000);

var focusBlur_t = Math.floor(Math.random() * 980   1469);

var m_x = 238   Math.floor(Math.random() * 5   1);

var m_y = 141   Math.floor(Math.random() * 5   1);

var m_x1 = 179   Math.floor(Math.random() * 5   1);

var m_y1 = 280   Math.floor(Math.random() * 5   1);

var data = '{"mousemove":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseclick":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '}],"keyvalue":['   t1   ','   t1   ','   t3   ','   t3   '],"user_Agent":"safari/601.1","resolutionx":375,"resolutiony":667,"winSize":[375,667],"url":"hXXp://captcha.qq.com/cap_union_new_show","refer":"hXXp://ui.ptlogin2.qq.com/cgi-bin/login","begintime":'   begintime   ',"endtime":'   endtime   ',"platform":2,"os":"IOS","keyboards":4,"flash":0,"pluginNum":0,"index":'   code_cnt1   ',"ptcz":"","tokenid":'   tokenid   ',"btokenid":null,"tokents":'   begintime   ',"ips":{"in":["'   ip   '"]},"colorDepth":24,"cookieEnabled":true,"timezone":8,"wDelta":0,"keyUpCnt":'   keyUpCnt   ',"keyUpValue":['   t1   ','   t1   ','   t3   ','   t3   '],"mouseUpValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseUpCnt":'   mouseUpCnt   ',"mouseDownValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseDownCnt":'   mouseUpCnt   ',"orientation":[{"x":0,"y":0,"z":0},{"x":0,"y":0,"z":0}],"bSimutor":0,"focusBlur":{"in":['   focusBlur_in   '],"out":['   focusBlur_in   '],"t":['   focusBlur_t   ']},"fVersion":0,"charSet":"UTF-8","resizeCnt":0,"errors":[],"screenInfo":"375-667-667-24-*-*-*","elapsed":0,"clientType":"1","refreshcnt":'   code_cnt   ',"trycnt":'   code_cnt1   ',"jshook":4}';

keyUpCnt  = 4;

&password=

hXXp://api2.sz789.net:88/RecvByte.ashx

hXXp://api2.sz789.net:88/ReportError.ashx

hXXp://api2.sz789.net:88/GetUserInfo.ashx

Content-Disposition: form-data; name="password"

{password}

Content-Disposition: form-data; name="softkey"

{softkey}

hXXp://api.ruokuai.com/create.json

hXXp://api.ruokuai.com/reporterror.json

hXXp://api.ruokuai.com/info.json

&softkey=

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

Content-Disposition: form-data; name="soft_key"

{soft_key}

Content-Disposition: form-data; name="image_path"; filename="{filename}.png"

hXXp://ff.zhima365.com/zmdemo_php/http_api.php

type=report_error&pic_id=

hXXp://ff.killma.com/kmdemo_php/http_api.php

hXXp://hzapi.jysnd.com

hXXp://hzapi1.jysnd.com

:10680/?cmd=upload&user=

:10681/?cmd=query&id=

:10683/?cmd=querybalance&user=

:10682/?cmd=reporterror&id=

SetClientCertificate

admin@52dfg.com

5ugg%u

09/27/12

admin@52dfg.com

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

? deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

VVV.dywt.com.cn

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

(%S)%M%D %y-%m-%d

After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d

!!! Create pen ERROR! ErrNo.[%d]

  Create pen No.%d

!!! Create brush ERROR! ErrNo.[%d]

  Create brush No.%d

!!! Create font ERROR! ErrNo.[%d]

  Create font No.%d

- Delete pen No.%d

- Delete brush No.%d

- Delete font No.%d

TrayIcon event: %x

hXXp://VVV.eyuyan.com

service@dywt.com.cn

 86(0411)39895834

 86(0411)39895831

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

DelAllKeyValues

DelKeyValue

GetAllKeys

GetKeyValue

AddKeyValue

DSGetErrMsg

BiTreeGetCurNodeKey

ListGetCurNodeKey

ListUpdateNodeFromKey

ListRemoveNodeFromKey

edatastructure_fnMapDelAllKeyValues

edatastructure_fnMapDelKeyValue

edatastructure_fnMapGetAllKeys

edatastructure_fnMapGetKeyValue

edatastructure_fnMapAddKeyValue

edatastructure_fnBiTreeGetCurNodeKey

edatastructure_fnListGetCurNodeKey

edatastructure_fnListUpdateNodeFromKey

edatastructure_fnListRemoveNodeFromKey

1.1.4

(*.htm;*.html)|*.htm;*.html

its:%s::%s

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

hid.dll

mscoree.dll

mscorwks.dll

mscorsvr.dll

KernelBase.dll

mscoreei.dll

clr.dll

diasymreader.dll

SEGetNumExecUsed

SEGetNumExecLeft

SESetNumExecUsed

SEGetExecTimeUsed

SEGetExecTimeLeft

SESetExecTime

SEGetTotalExecTimeUsed

SEGetTotalExecTimeLeft

SESetTotalExecTime

SECheckExecTime

SECheckTotalExecTime

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

IPHLPAPI.DLL

PSAPI.DLL

RegOpenKeyExA

RegCreateKeyExA

RegDeleteKeyA

ADVAPI32.dll

SHELL32.dll

Y,.tf

5Pr%X

1I0%d

4%Ci`"

\.WSHP

R2.qY

.Ye/F

~cWeB

s.HQTz$5

M%F{j

.Nxj^

:]%X0

O9.mX

@`cRt

sy<%C

A-/%F

r:\_R

|Ì*

mR.Uw

Ah]%X0

%CwL.`

.pvd\PH

y-ZF}

3.BV>

hR%x_\:{

n.nGz

)LÿnU

I.%1s

U .uf

t"I.dK

crt6!`

:?]%CG

ÈYh

b.iWS

TNM?.hdP~

WS2_32.dll

OLEAUT32.dll

WINMM.dll

WINSPOOL.DRV

AVIFIL32.dll

.afVf

#_g.ZV

comdlg32.dll

oledlg.dll

m-CX}3

m^.HG

7k.HG

m-C5}

'P.zG

OWinExec

7WS2_32.dll

(AVIFIL32.dll

IGetCPInfo

GetWindowsDirectoryA

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

EnumChildWindows

GetKeyState

UnregisterHotKey

RegisterHotKey

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

.SelectPalette

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

m|WINSPOOL.DRV

ShellExecuteA

&QPSAPI.DLL

Safengine Shielden v2.3.9.0

oWINMM.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

SQLite

SQLite3 Database Library

3.8.8.2

SQLite3

1, 0, 6, 6

- Skin.dll

(*.*)

1.0.0.0

Www.52Dfg.Com

[VVV.52dfg.com]

%original file name%.exe_3700_rwx_00401000_00367000:

VCX.XA

t%SVh

FSShG

t$(SSh

~%UVW

u$SShe

K(.wS

ole32.dll

ntdll.dll

oleaut32.dll

advapi32.dll

Advapi32.dll

kernel32.dll

Kernel32.dll

user32.dll

KERNEL32.DLL

sqlite3

sql.dll

RegOpenKeyA

RegEnumKeyExA

RegCloseKey

CreateIoCompletionPort

sqlite3_last_insert_rowid

sqlite3_changes

sqlite3_errmsg

sqlite3_errcode

sqlite3_prepare_v2

sqlite3_step

sqlite3_reset

sqlite3_bind_int64

sqlite3_bind_int

sqlite3_bind_double

sqlite3_bind_blob

sqlite3_bind_text

sqlite3_bind_null

sqlite3_bind_parameter_count

sqlite3_bind_parameter_name

sqlite3_bind_parameter_index

sqlite3_clear_bindings

sqlite3_column_count

sqlite3_column_name

sqlite3_sql

sqlite3_column_text

sqlite3_column_bytes

sqlite3_column_int

sqlite3_column_int64

sqlite3_column_double

sqlite3_column_blob

sqlite3_finalize

sqlite3_busy_timeout

sqlite3_close

sqlite3_free

sqlite3_rekey

sqlite3_open_v2

sqlite3_key

sqlite3_libversion

sqlite3_exec

sqlite3_interrupt

{18C0788E-59AE-4112-B452-6BF0C1B727FB}

{86AB1D8A-7995-4D86-AE5F-18710759228B}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

\AppData\AppConfig.ini

hXXps://apisoft.df0535.com/Dfgapi/grouplink.html?id=

hXXp://apisoft.df0535.com/Dfgapi/grouplink.html?id=

data.name

data.url

WinHttp.WinHttpRequest.5.1

application/x-www-form-urlencoded

MSScriptControl.ScriptControl

function get__key(o) {

a.push(i);

//return JSON.stringify(jsonobj);

if (Object.prototype.toString.apply(O) === '[object Array]') {

for (var i = 0; i < O.length; i  )

S.push(O2String(O[i]));

J = '['   S.join(',')   ']';

else if (Object.prototype.toString.apply(O) === '[object String]') {

J = '"'   O.replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n")   '"';

else if (Object.prototype.toString.apply(O) === '[object Number]') {

else if (Object.prototype.toString.apply(O) === '[object Date]') {

J = "new Date("   O.getTime()   ")";

else if (Object.prototype.toString.apply(O) === '[object RegExp]' || Object.prototype.toString.apply(O) === '[object Function]') {

J = O.toString();

else if (Object.prototype.toString.apply(O) === '[object Object]') {

t = typeof (O[i]) == 'string' ? '"'   O[i].replace(/"/g,"\\\"").replace(/\r/g,"\\r").replace(/\n/g,"\\n")   '"' : (typeof (O[i]) === 'object' ? O2String(O[i]) : O[i]);

S.push('\"'  i  '\"'   ':'   t);

J = '{'   S.join(',')   '}';

","__InvalidPassword":"

","__OLD_PASSWORD_WRONG":"

","__API_KEY_WRONG":"

[/dfgmsg][dfgcolor]

[dfgmsg]

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko QQBrowser/8.1.3700.400

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 SE 2.X MetaSr 1.0

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

hXXps://ssl.ptlogin2.qq.com/login?u=

pass='

\AppData\wwwlist.txt

1970-01-01 08:00:00

T@\*.dfg

cmd /c regsvr32 msscript.ocx jscript.dll vbscript.dll /s

\AppLink\sql.dll

.text

`.rdata

@.data

.rsrc

@.reloc

f;P.sC

W.RPj9

.FGy#

u u

tCPh

 ] ;^ }6

f;A.sK

.6.78.9:;

B.CDEFFG

large file support is disabled

unknown operation

SQL logic error or missing database

rekey

hexrekey

hexkey

foreign_keys

foreign_key_list

foreign_key_check

defer_foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_crypt

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat4

sqlite_stat3

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

FOREIGN KEY

GetProcessHeap

RowKey

3.8.8.3

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

@failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

922337203685477580

Adelayed %dms for lock/sharing conflict

sqlite_user

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

SQLITE_

os_win.c:%d: (%lu) %s(%s) - %s

%s%c%s

%s(%d)

%s prohibited in partial index WHERE clauses

%s prohibited in CHECK constraints

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

%s cannot use variables

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

DELETE FROM %Q.%s WHERE %s=%Q

sqlite_stat%d

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch - "%w" referencing "%w"

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

sqlite3_get_table() called with two or more incompatible queries

table %s: xBestIndex returned an invalid plan

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

FROM '%q'.'%q%s' AS x

,%s(x.'c%d%q')

,%s(?)

unknown tokenizer: %s

unrecognized matchinfo request: %c

>@SQLite format 3

FOREIGN KEY constraint failed

hex literal too big: %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

duplicate WITH table name: %s

error during initialization: %s

no entry point [%s] in shared library [%s]

sqlite3_

unable to open shared library [%s]

%s.%s

sqlite3_extension_init

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

recursive reference in a subquery: %s

multiple recursive references: %s

table %s has %d values for %d columns

circular reference: %s

multiple references to recursive table: %s

SCAN TABLE %s%s%s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

sqlite_master

sqlite_temp_master

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

%s.xBestIndex() malfunction

%s-shm

unable to use function %s in the requested context

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

%s.rowid

no such collation sequence: %s

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

column%d

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

automatic extension loading failed: %s

illegal first argument to %s

%s {%s}

d-d-d d:d:d

d:d:d

d-d-d

view %s is circularly defined

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

zeroblob(%d)

ANY(%s)

VIRTUAL TABLE INDEX %d:%s

USING INTEGER PRIMARY KEY

INDEX %s

COVERING INDEX %s

PRIMARY KEY

AS %s

TABLE %s

SUBQUERY %d

?API call with %s database connection pointer

cannot limit WAL size: %s

2nd reference to page %d

invalid page number %d

automatic index on %s(%s)

database corruption at line %d of [%.10s]

recovered %d frames from WAL file %s

bind on a busy prepared statement: [%s]

%s - %s

malformed database schema (%s)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

recovered %d pages from %s

unknown database: %s

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

at most %d tables in a join

unknown database %s

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

MJ delete: %s

-mjX9X

MJ collide: %s

%s-mjXXXXXX9XXz

database %s is locked

cannot detach database %s

no such database: %s

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

SELECT %s WHERE rowid = ?

INSERT INTO %Q.'%q_content' VALUES(%s)

SELECT %s WHERE rowid=?

CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);

CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);

CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));

CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);

CREATE TABLE %Q.'%q_content'(%s)

%z, 'c%d%q'

docid INTEGER PRIMARY KEY

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

no such table column: %s.%s

malformed MATCH expression: [%s]

FTS expression tree is too large (maximum depth %d)

statement aborts at %d: [%s] %s

abort at %d in [%s]: %s

%s constraint failed

%s constraint failed: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot release savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

unsupported encoding: %s

NULL value in %s.%s

*** in database %s ***

no such table: %s

%s.%s.%s

too many references to "%s": max 65535

sqlite_sq_%p

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open value of type %s

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open table without rowid: %s

cannot open virtual table: %s

indexed

foreign key

EXECUTE %s%s SUBQUERY %d

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

cannot create a TEMP index on non-TEMP table "%s"

PRAGMA %Q.page_size

SELECT 1 FROM %Q.sqlite_master WHERE tbl_name='%q_stat'

%s_segments

SELECT stat FROM %Q.sqlite_stat1 WHERE tbl = '%q_rowid'

CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))

SELECT pw=sqlite_crypt(?1,pw), isAdmin FROM "%w".sqlite_user WHERE uname=?2

INSERT INTO sqlite_user(uname,isAdmin,pw) VALUES(%Q,%d,sqlite_crypt(?1,NULL))

CREATE TABLE sqlite_user(

uname TEXT PRIMARY KEY,

UPDATE sqlite_user SET isAdmin=%d, pw=sqlite_crypt(?1,NULL) WHERE uname=%Q

DELETE FROM sqlite_user WHERE uname=%Q

unable to open database: %s

Invalid key value

database %s is already in use

too many attached databases - max %d

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

PRIMARY KEY missing on table %s

SELECT %s

%d %d %d %d

misuse of aggregate: %s()

no such column: %s

SELECT %s ORDER BY rowid %s

%d values for %d columns

table %S has %d columns but %d values were supplied

table %S has no column named %s

-- TRIGGER %s

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

sqlite_stat

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

CREATE TABLE x(%s %Q HIDDEN, docid HIDDEN, %Q HIDDEN)

missing %s parameter in fts4 constructor

error parsing prefix parameter: %s

unrecognized order: %s

unrecognized matchinfo: %s

unrecognized parameter: %s

notindexed

%s, %s

CREATE TABLE x(%s

porter

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

%S#[k

?#%X.y

GetProcessWindowStation

KERNEL32.dll

GetCPInfo

sqlite3.dll

sqlite3_aggregate_context

sqlite3_aggregate_count

sqlite3_auto_extension

sqlite3_backup_finish

sqlite3_backup_init

sqlite3_backup_pagecount

sqlite3_backup_remaining

sqlite3_backup_step

sqlite3_bind_blob64

sqlite3_bind_text16

sqlite3_bind_text64

sqlite3_bind_value

sqlite3_bind_zeroblob

sqlite3_blob_bytes

sqlite3_blob_close

sqlite3_blob_open

sqlite3_blob_read

sqlite3_blob_reopen

sqlite3_blob_write

sqlite3_busy_handler

sqlite3_cancel_auto_extension

sqlite3_close_v2

sqlite3_collation_needed

sqlite3_collation_needed16

sqlite3_column_bytes16

sqlite3_column_database_name

sqlite3_column_database_name16

sqlite3_column_decltype

sqlite3_column_decltype16

sqlite3_column_name16

sqlite3_column_origin_name

sqlite3_column_origin_name16

sqlite3_column_table_name

sqlite3_column_table_name16

sqlite3_column_text16

sqlite3_column_type

sqlite3_column_value

sqlite3_commit_hook

sqlite3_compileoption_get

sqlite3_compileoption_used

sqlite3_complete

sqlite3_complete16

sqlite3_config

sqlite3_context_db_handle

sqlite3_create_collation

sqlite3_create_collation16

sqlite3_create_collation_v2

sqlite3_create_function

sqlite3_create_function16

sqlite3_create_function_v2

sqlite3_create_module

sqlite3_create_module_v2

sqlite3_data_count

sqlite3_db_config

sqlite3_db_filename

sqlite3_db_handle

sqlite3_db_mutex

sqlite3_db_readonly

sqlite3_db_release_memory

sqlite3_db_status

sqlite3_declare_vtab

sqlite3_enable_load_extension

sqlite3_enable_shared_cache

sqlite3_errmsg16

sqlite3_errstr

sqlite3_expired

sqlite3_extended_errcode

sqlite3_extended_result_codes

sqlite3_file_control

sqlite3_free_table

sqlite3_get_autocommit

sqlite3_get_auxdata

sqlite3_get_table

sqlite3_global_recover

sqlite3_initialize

sqlite3_key_v2

sqlite3_libversion_number

sqlite3_limit

sqlite3_load_extension

sqlite3_log

sqlite3_malloc

sqlite3_malloc64

sqlite3_memory_alarm

sqlite3_memory_highwater

sqlite3_memory_used

sqlite3_mprintf

sqlite3_msize

sqlite3_mutex_alloc

sqlite3_mutex_enter

sqlite3_mutex_free

sqlite3_mutex_leave

sqlite3_mutex_try

sqlite3_next_stmt

sqlite3_open

sqlite3_open16

sqlite3_os_end

sqlite3_os_init

sqlite3_overload_function

sqlite3_prepare

sqlite3_prepare16

sqlite3_prepare16_v2

sqlite3_profile

sqlite3_progress_handler

sqlite3_randomness

sqlite3_realloc

sqlite3_realloc64

sqlite3_rekey_v2

sqlite3_release_memory

sqlite3_reset_auto_extension

sqlite3_result_blob

sqlite3_result_blob64

sqlite3_result_double

sqlite3_result_error

sqlite3_result_error16

sqlite3_result_error_code

sqlite3_result_error_nomem

sqlite3_result_error_toobig

sqlite3_result_int

sqlite3_result_int64

sqlite3_result_null

sqlite3_result_text

sqlite3_result_text16

sqlite3_result_text16be

sqlite3_result_text16le

sqlite3_result_text64

sqlite3_result_value

sqlite3_result_zeroblob

sqlite3_rollback_hook

sqlite3_rtree_geometry_callback

sqlite3_rtree_query_callback

sqlite3_set_authorizer

sqlite3_set_auxdata

sqlite3_shutdown

sqlite3_sleep

sqlite3_snprintf

sqlite3_soft_heap_limit

sqlite3_soft_heap_limit64

sqlite3_sourceid

sqlite3_status

sqlite3_stmt_busy

sqlite3_stmt_readonly

sqlite3_stmt_status

sqlite3_strglob

sqlite3_stricmp

sqlite3_strnicmp

sqlite3_table_column_metadata

sqlite3_test_control

sqlite3_thread_cleanup

sqlite3_threadsafe

sqlite3_total_changes

sqlite3_trace

sqlite3_transfer_bindings

sqlite3_update_hook

sqlite3_uri_boolean

sqlite3_uri_int64

sqlite3_uri_parameter

sqlite3_user_add

sqlite3_user_authenticate

sqlite3_user_change

sqlite3_user_data

sqlite3_user_delete

sqlite3_value_blob

sqlite3_value_bytes

sqlite3_value_bytes16

sqlite3_value_double

sqlite3_value_int

sqlite3_value_int64

sqlite3_value_numeric_type

sqlite3_value_text

sqlite3_value_text16

sqlite3_value_text16be

sqlite3_value_text16le

sqlite3_value_type

sqlite3_vfs_find

sqlite3_vfs_register

sqlite3_vfs_unregister

sqlite3_vmprintf

sqlite3_vsnprintf

sqlite3_vtab_config

sqlite3_vtab_on_conflict

sqlite3_wal_autocheckpoint

sqlite3_wal_checkpoint

sqlite3_wal_checkpoint_v2

sqlite3_wal_hook

sqlite3_win32_is_nt

sqlite3_win32_mbcs_to_utf8

sqlite3_win32_set_directory

sqlite3_win32_sleep

sqlite3_win32_utf8_to_mbcs

sqlite3_win32_write_debug

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3(4-424<4]4

7 8$8(8,8

< =2=9=[=

5"5(575=5

3 3$3(3,3034383

;!;);2;|;

6v7X7i7r7

3!4&454:4

=4>&?\?~?

3 3$3(3,3034383<3

9#9)92999[9

7 <$<(<,<0<

X:\:`:d:h:l:p:t:x:|:

\AppData\QS.db

select * from sqlite_master where tbl_name='data'

hXXp://zz.1235k.com/?XQS

hXXp://VVV.52dfg.com/forum-40-1.html?XQS

hXXp://VVV.52dfg.com

\AppData\wwblist.txt

\AppData\qblist.txt

\AppData\qwlist.txt

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

_yhXXps://apisoft.df0535.com/Dfgapi/softmark?mark=

hXXp://apisoft.df0535.com/Dfgapi/softmark?mark=

data.mark

data.version

data.log

data.remark

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

114.114.114.114,114.114.115.115

return'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g,function(c){

var r=Math.random()*16|0,v=c=='x'?r:(r&0x3|0x8);

return v.toString(16);

}).toUpperCase();

@%y/%m/%d

%y-%m-%d

g@\Error.log

\QQDATA.ini

\QQDATA.ini.bak

QQ,pass,config

hXXp://VVV.52dfg.com/dfg/nvwnuqy2.gif

hXXp://VVV.52dfg.com/dfg/yxj.gif

hXXps://apisoft.df0535.com/Dfgapi/admanage.html

hXXp://apisoft.df0535.com/Dfgapi/admanage.html

].name

].content

].imgurl

].url

].msg

hXXp://

hXXps://

qq.com

dfg.dat

operatea

skey

hXXp://vipfunc.qq.com/common/user.php?callback=showGrowInfoPanel&data=grow_value&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?callback=jQuery

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&rand=0.

hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=53284&rand=0.

data.op.sign.gift.f_actid

data.op.sign.gift.f_name

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=

hXXp://mc.vip.qq.com/supergrowth/index?_nav_alpha=0&_wv=3

data.iLastDepositEnergy

hXXp://cgi.vip.qq.com/svipgrowth/updatedepositInfo?g_tk=

hXXp://cgi.vip.qq.com/svipgrowth/withdrawGrowth?g_tk=

hXXp://mc.vip.qq.com/supergrowth/index?_nav_alpha=0&_wv=3

hXXps://ssl.

ptlogin2.qq.com/pt4_auth?daid=50&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://baobao.qq.com/act/gamepet/

hXXp://cgi.baobao.qq.com/cgi-bin/pets_get_carried

pet.seq

hXXp://cgi.baobao.qq.com/cgi-bin/pets_takeoff

cmd=2&from=baobao

hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup_info

hXXp://cgi.baobao.qq.com/cgi-bin/pets_list

.avatarid

.life

300007156

hXXp://cgi.baobao.qq.com/cgi-bin/pets_takeon

hXXp://cgi.baobao.qq.com/cgi-bin/pets_speedup

ptlogin2.qq.com/pt4_auth?daid=173&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://bbly.qq.com/

cmd=22&petID=

hXXp://cgi.bbly.qq.com/cgi-bin/PetHome?

a.push(b,c,d,e,f,g);

a.push(b,c,d,e,f);

function ptui_qlogin_CB(b,c,d)

a.push(b,c,d);

a.push(b,c);

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400)

https

ptlogin2.qq.com/pt4_auth?daid=176&appid=21000110&auth_token=

®master=&aid=21000110&s_url=http://gamevip.qq.com/

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_sign/GameVip_SignIn?callback=jQuery

SignDay.day

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_sign/GameVip_Lottery?callback=jQuery

hXXp://app.gamevip.qq.com/cgi-bin/gamevip_m_sign/GameVip_m_SignIn?_

hXXp://iyouxi.vip.qq.com/json.php?mod=game&func=award&uin=

hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&isLoadUserInfo=1&g_tk=

hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=

data.op.name

hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&callback=jQuery

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000124&auth_token=

®master=&aid=21000124&s_url=http://xinyue.qq.com/comm-htdocs/login/logincallback.htm

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue

flowRet.sMsg

hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=

data.add

p_skey

hXXp://flower.qzone.qq.com/fcg-bin/cgi_plant?g_tk=

&newflower=1&outCharset=utf-8&g_tk=

X-Requested-With: ShockwaveFlash/18.0.0.203

Referer: hXXp://ctc.qzs.qq.com/qzone/flower/flash/Flower3.swf?mode=0

hXXps://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=

(@msglist[0].tid

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=

/mood/

.1&curkey=http://user.qzone.qq.com/

&unikey=http://user.qzone.qq.com/

/311&opuin=

qzreferrer=http://user.qzone.qq.com/

hXXp://h5.qzone.qq.com/proxy/domain/w.qzone.qq.com/cgi-bin/likes/internal_unlike_app?g_tk=

hXXp://flower.qzone.qq.com/cgi-bin/cgi_pickup_oldfruit?g_tk=

&outCharset=utf-8&fupdate=1&format=json

mode=1&g_tk=

data.count

hXXp://flower.qzone.qq.com/cgi-bin/cgi_show_userprop?p=0.

data.prop[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_exchange_prop?g_tk=

&qzreferrer=http://rc.qzone.qq.com/appstore/dailycoupon?from=appstore.myInfoBoxBtn&fupdate=1

qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&op_uin=

frameElement.callback(

hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_mallprop?g_tk=

qzreferrer=http://ctc.qzs.qq.com/qzone/flower/tool.html#&propid=7&op_uin=

hXXp://flower.qzone.qq.com/cgi-bin/fg_get_giftpkg?&g_tk=

Referer: hXXp://ctc.qzs.qq.com/qzone/client/photo/swf/RareFlower/FlowerVineLite.swf

data.vDailyGiftpkg

].granttime

data.vDailyGiftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/fg_use_giftpkg?g_tk=

giftpkgid=

data.usedgiftpkg[0].caption

data.usedgiftpkg[0].content

data.vSeriesLoginGiftpkg

data.vSeriesLoginGiftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_get_giftpkg?uin=

data.giftpkg

data.giftpkg[

hXXp://flower.qzone.qq.com/cgi-bin/cgi_use_giftpkg?g_tk=

qzreferrer=http://qzs.qq.com/qzone/flower/giftPack.html&hottag=receive&giftpkgid=

data.giftpkg[0].caption

data.giftpkg[0].content

ptlogin2.qq.com/pt4_auth?daid=5&appid=549000912&auth_token=

®master=&aid=549000912&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

hXXp://user.qzone.qq.com/

&pvsrc=102&s_p=1|http|&s_v=0&ozid=511022&vipid=&actid=133339&sid=&cache=3654

hXXps://iyouxi3.vip.qq.com/ams3.0.php?g_tk=

hXXps://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=

Referer: hXXps://i.qianbao.qq.com/wallet/recharge/dist/m/index_v4.html?_wv=1031&noTab=1&tab=fee&payChannel=task_activity&source=sng_308803&taskPlugin=1&pvsrc=311&bottom=50

User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.4; zh-cn; Lan998 Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 V1_AND_SQ_5.2.1_183_YYB_D QQ/5.2.1.2305 NetType/WIFI

['10752'].ret

&data={"10975":{"sIn":{"uin":0}}}&pt4_token=

['10975'].ret

['10975'].data.sOut.continueDays

&pvsrc=102&s_p=1|http|&s_v=0&ozid=511022&vipid=&actid=168877&_record_def_gift=true&cache=3654

data.op.diamonds

hXXp://fight.pet.qq.com/cgi-bin/petpk?cmd=award&op=1&type=0

ContinueLogin

ptlogin2.qq.com/pt4_auth?daid=49&appid=7000201&auth_token=

®master=&aid=7000201&s_url=http://meigui.qq.com/

hXXp://cgi.meigui.qq.com/cgi-bin/rosary_activity_oper?gprand=0.

request=2&cmd=15&cgiVersion=36&paytype=1&benew0908=1

hXXp://fcg.3366.com/fcg-bin/growinfo/mgp_growinfo_signin?&_r=

hXXp://appstore.qzone.qq.com/cgi-bin/comm/appstore_qq_icon?uin=

hXXp://appact.qzone.qq.com/appstore_activity_appinner_fusionapi?uin=

hXXp://activity.qzone.qq.com/fcg-bin/appstore_activity_daily_signing?g_tk=

data.signing_reward

].status

data.signing_reward[

].signing_day

].rand_reward_desc

].extra_score

hXXp://activity.qzone.qq.com/fcg-bin/appstore_activity_daily_signing?uin=

data.extra_score

data.result

data.reward_name

hXXp://appact.qzone.qq.com/appstore_activity_new_userinfo?uin=

hXXp://appact.qzone.qq.com/appstore_activity_daily_lottery?uin=

&canvastype=&from=appstore.myInfoBoxBtn&uin=

&pfid=2&qz_ver=8&appcanvas=0&qz_style=31¶ms=dailycoupon&entertime=

qzreferrer=http://appstore.qzone.qq.com/cgi-bin/qzapps/qz_appstore_home_v4?uin=

hXXp://h5.qzone.qq.com/vipinfo/index?plg_nld=1&source=qqmail&plg_auth=1&plg_uin=1&_wv=3&plg_dev=1&plg_nld=1&aid=jh&_bid=368&plg_usr=1&plg_vkey=1&pt_qzone_sig=1

window.shine0callback =

hXXp://vip.qzone.qq.com/fcg-bin/v2/fcg_mobile_vip_site_checkin?t=0.

&low_login=1&uin=

hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_

result.msg

result.code

&skey=

hXXp://p.guanjia.qq.com/bin/user/qrycheckin.php?op=checkin&emotionId=86&Uin=

Referer: hXXp://s.pcmgr.qq.com/user_v2/inc/sign.html

&tmcost=0&frequency=1&key=appid,commandid,resultcode&1_1=1000417&1_2=h5/sign_in&1_3=0&rv=0.0

hXXps://h5.qzone.qq.com/wspeed.qq.com/w.cgi?releaseversion=null&touin=

hXXps://h5.weiyun.com/sign_in

hXXp://account.book.qq.com/usercenter/index.html

hXXp://account.book.qq.com

X-Requested-With: XMLHttpRequest

Referer: hXXp://account.book.qq.com/usercenter/index.html

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

hXXp://account.book.qq.com/usercenter/signin.html

hXXp://snsapp.qzone.qq.com/cgi-bin/signin/checkin_cgi_read?version=1&more_info_length=10&is_need_rank=1&plattype=1&r=0.

Referer: hXXp://ctc.qzs.qq.com/qzone/app/checkin_v4/html/checkin.html

data.seal_info.seal_info['23'][5].post_proxy

data.seal_info.seal_info['23'][5].id

hXXp://login.52dfg.com/xinxi/shuoshuo/getss.php?type=

hXXp://snsapp.qzone.qq.com/cgi-bin/signin/checkin_cgi_publish?g_tk=

qzreferrer=http://ctc.qzs.qq.com/qzone/app/checkin_v4/html/checkin.html#id=0&groupId=0&nofeeds=0&ref=checkin_button&to=ICONVIEW&plattype=1&hostuin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=2&uin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=1&uin=

hXXp://social.minigame.qq.com/cgi-bin/social/welcome_panel_operate?callback=&cmd=3&uin=

].lotteryid

].lotteryitemname

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_feedback_send_lottery.fcg?activeid=110&rnd=

data.alreadysend

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_get_present.fcg?activeid=73&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=128&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=130&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

hXXp://share.music.qq.com/fcgi-bin/dmrp_activity/fcg_dmrp_send_lottery.fcg?activeid=138&format=jsonp&inCharset=GB2312&outCharset=gb2312¬ice=0&platform=activity&jsonpCallback=MusicJsonCallback&needNewCode=1&rnd=

&plat=1&version=6.6.6¶m={"key0":{"param":{"bid":13792605},"module":"reader_comment_read_svr","method":"GetReadAllEndPageMsg"}}

hXXps://reader.sh.vip.qq.com/cgi-bin/common_async_cgi?g_tk=

hXXp://i.browser.qq.com

hXXp://i.browser.qq.com/all_data_query?guid=

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.1836.400 QQBrowser/9.5.9947.400

static_data.task_list

].interface

static_data.task_list[

].title

].score

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc

modRet.ret

modRet.msg

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=

flowRet.iRet

modRet.sMsg

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000501&auth_token=

®master=&aid=21000501&s_url=http://daoju.qq.com/mall/index.shtml

hXXp://igame.qq.com/interface/fn/index.php?logicname=c_igamesign_setHonorNotice&gid=

ptlogin2.qq.com/pt4_auth?daid=37&appid=563027201&auth_token=

®master=&aid=563027201&s_url=http://igame.qq.com/center/index.php

hXXp://igame.qq.com/center/index.php

hXXp://qun.qq.com/cgi-bin/qun_mgr/get_group_list

join

join[

hXXp://qzonestyle.gtimg.cn/qzone/qzactStatics/configSystem/data/210/config2.js?r=0.

].goodsWord

].quantity

].packageID

].giftID

&client=2&version=6.6.2.408

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/draw_lucky_gift

&version=iOS6.6.2.408&_r=

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/send_goods

hXXp://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/get_gift_free_num?channel=3&from=0&gc=

hXXps://pay.qun.qq.com/cgi-bin/group_pay/good_feeds/gain_give_stock?bkn=

hXXp://cgi.vip.qq.com/online/set?p_tk=&g_tk_type=1&g_tk=

hXXp://1.game.qq.com/app/sign?start=

jData.signInfo.msg

jData.signInfo.ret

hXXp://x.pet.qq.com/petgrow?cmd=Random&callback=jQuery

hXXp://x.pet.qq.com/toolbarsign?cmd=Sign&callback=jQuery

hXXp://x.pet.qq.com/toolbarsign?cmd=Gift&callback=jQuery

hXXps://novelsns.html5.qq.com/ajax?m=task&type=sign&aid=20&t=

; Q-H5-SKEY=

Referer: hXXps://bookshelf.html5.qq.com/discovery.html

User-Agent: Mozilla/5.0 (Linux; U; Android 6.0.1; zh-cn; OPPO R9s Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko)Version/4.0 Chrome/37.0.0.0 MQQBrowser/7.4 Mobile Safari/537.36

hXXps://novelsns.html5.qq.com/ajax?m=shareSignPageObtainBeans&aid=20&t=

hXXps://h5.qzone.qq.com/proxy/domain/activity.qzone.qq.com/fcg-bin/fcg_huangzuan_daily_signing?t=0.

hXXp://sweet.snsapp.qq.com/

hXXp://sweet.snsapp.qq.com/v2/cgi-bin/sweet_signlove_get?cmd=1&startts=

hXXp://sweet.snsapp.qq.com/v2/cgi-bin/sweet_signlove_share?g_tk=

&plat=0&qzreferrer=http://sweet.snsapp.qq.com/#module=main

.jpg?","height":"240","width":"245"}]&opuin=

cmd=0&outputformat=2&content=#çˆ±çš„ç¾åˆ°#é€ä½ çˆ±çš„å°å¡~&richval=[{"type":"image","url":"http://imgcache.qq.com/qqshow/admindata/comdata/qldata_common_data/2014-

tencent.mobile.qq.csrfauth

hXXp://play.mobile.qq.com/pansocial/cgi/checkin/checkInAction?actionType=0&token=

Referer: hXXp://play.mobile.qq.com/play/mqqplay/keepsign/index.html?_wv=1027&_bid=2344

&number=0&path=489&plat=qq&gamecenter=1&_wv=1031&_proxy=1&gc_version=2&ADTAG=gamecenter¬ShowPub=1¶m={"0":{"param":{"platform":1,"tt":1},"module":"gc_my_tab","method":"sign_in"}}&_=

hXXp://info.gamecenter.qq.com/cgi-bin/gc_my_tab_async_fcgi?merge=1&ver=0&st=

data['0'].retBody.data.cur_continue_sign

data['0'].retBody.data.coin_num

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=2&taskid=[]&otype=json&g_tk=

]['27'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&otype=json&taskid=27&platform=2&_=

]['27'].signInfo

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=8&taskid=[]&otype=json&g_tk=

]['22'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&otype=json&taskid=22&platform=1&_=

]['22'].signInfo

hXXps://growth.video.qq.com/fcgi-bin/query_growth_task_status?platform=5&taskid=[]&otype=json&g_tk=

]['24'].iStatus

hXXps://growth.video.qq.com/fcgi-bin/sync_task?callback=&flag=1&otype=json&taskid=24&platform=3&_=

]['24'].signInfo

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_index?sid=c&g_ut=2&signin=1

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_freegift_recv?sid=c&g_ut=2&fg_recv=1

hXXp://mcapp.z.qq.com/nc/cgi-bin/wap_farm_harvest?sid=c&B_UID=0&place=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23&g_ut=2&time=-2147483648

hXXp://mcapp.z.qq.com/mc/cgi-bin/wap_pasture_index?sid=c&g_ut=2&signin=1&yellow=1&optflag=2&pid=0&v=1

hXXp://mcapp.z.qq.com/mc/cgi-bin/wap_pasture_harvest?sid=c&g_ut=2&serial=-1&htype=3

Referer: hXXp://wenwen.sogou.com/cate/home

hXXp://wenwen.sogou.com/submit/ms/signin?groupUin=undefined

ptlogin2.qq.com/pt4_auth?daid=210&appid=6000201&auth_token=

®master=&aid=6000201&s_url=http://wenwen.sogou.com/login/popLogin

hXXp://wenwen.sogou.com/login/popLogin

hXXp://wenwen.sogou.com/wapi/qun/red-dot?groupUin=

hXXp://wenwen.sogou.com/submit/qun/signin?groupUin=

&ch=qun.quan.switch.1.pc

Referer: hXXp://wenwen.sogou.com/qunapp/index/?groupUin=

hXXps://qs.888.qq.com/m_qq/mqq2.local.html?vb2ctag=4_2114_3_4639&_wv=1&lh=1

hXXps://qs.888.qq.com/node_export/?d=activity&c=sign&m=getQQSvipPresent&ajax=true&cms_where=1366&vb2ctag=4_2114_3_4639&bc_web=2009927510&reportUin=

Referer: hXXps://qs.888.qq.com/m_qq/mqq2.local.html?vb2ctag=4_2114_3_4639&_wv=1&lh=1&lh=1

&client=1&version=qqreader_1.0.669.0001_android_qqplugin&channel=00000&_bid=2036&ChannelID=100020&plat=1&qqVersion=0&_from=sign_index&_=

hXXps://reader.sh.vip.qq.com/cgi-bin/reader_page_csrf_cgi?merge=2&ditch=100020&cfrom=account¤t=sign_index&tf=2&sid=

param={"0":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"UserTodaySign"},"1":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"GetSignGifts"}}

data['0'].retCode

data['0'].retBody.data.isSignNow

data['0'].retBody.data.lastDays

].awardType

data['0'].retBody.data.awards[

].awardNum

hXXp://reader.sh.vip.qq.com/cgi-bin/reader_page_csrf_cgi?merge=1&ditch=100020&cfrom=account¤t=sign_index&tf=2&sid=

param={"0":{"param":{"tt":0},"module":"reader_sign_manage_svr","method":"GrantBigGift"}}

data['0'].retBody.data.newlyGift.giftName

data['0'].retBody.data.newlyGift.giftNum

hXXp://comic.vip.qq.com/cgi-bin/coupon_coin?merge=1&pageVersion=288192_online&platId=109&version=1&_=

}}

param={"0":{"param":{"tt":0},"module":"comic_sign_in_svr","method":"SignIn","timestamp":

data['0'].retBody.data.ret

data['0'].retBody.data.singedDayOfMonth

&actid=105321&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104360&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104364&merge=1&plat=1&qqVersion=6.6.9.3060&_=

&actid=104365&merge=1&plat=1&qqVersion=6.6.9.3060&_=

D@hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page?neednum=40&startnum=

result.followbars

].bid

result.followbars[

hXXp://buluo.qq.com/cgi-bin/bar/user/sign

result.add_credits

hXXp://qiandao.qun.qq.com/cgi-bin/sign

ptlogin2.qq.com/pt4_auth?daid=8&appid=21000115&auth_token=

®master=&aid=21000115&s_url=http://lz.qq.com/comm-htdocs/milo_mobile/login.html?s_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2Findex.html%3FADTAG%3Dwx.message&sData=&logo=

hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=54614&sServiceDepartment=newterminals&set_info=newterminals&_=

&e_code=0&g_code=0&eas_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2F&eas_refer=http%3A%2F%2Flz.qq.com%2Fcomm-htdocs%2Fmilo_mobile%2Flogin.html&sServiceDepartment=group_h&sServiceType=qqgame

&e_code=0&g_code=0&eas_url=http%3A%2F%2Flz.qq.com%2Fact%2Fa20160712sign%2F&eas_refer=http%3A%2F%2Flz.qq.com%2Fcomm-htdocs%2Fmilo_mobile%2Flogin.html&sServiceDepartment=group_h

gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=qqgame&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=54614&iFlowId=324759&g_tk=

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=2000013&g_tk=

TASK.RET

TASK.RESULT.level

hXXp://king.qq.com/lb.html

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=3000013&g_tk=

hXXp://pf.vip.qq.com/common/vframe1.1.php?&id=5000013&g_tk=

hXXp://api.ruokuai.com/register.xml

hXXp://api.ruokuai.com/info.xml

hXXp://api.ruokuai.com/recharge.xml

hXXp://api.ruokuai.com/create.xml

hXXp://api.ruokuai.com/reporterror.xml

.jysnd.com

hXXp://api

version.dll

msimg32.dll

usp10.dll

winmm.dll

*.txt

|*.txt

hXXp://VVV.sz789.net/reg.aspx

hXXp://VVV.gsdati.com/index.php/Index/Index/register

hXXp://VVV.zhima365.com/userreg.php

hXXp://VVV.ruokuai.com/home/register

hXXp://VVV.killma.com/register.php

[/dfgmsg]

.toString()

.splice(

.push('

.push(

.push(eval(

get__key(

select name as title from sqlite_master where type='table'

select name as title from sqlite_master where type='table' and name not like('sqlite%')

SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND tbl_name='

PRIMARY KEY

ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&f_url=loginerroralert&hide_title_bar=1&style=11&daid=196&low_login=0&appid=710032918&s_url=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&target=self

pt_login_sig

hXXp://check.

&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&r=0.

&js_type=1&login_sig=

ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=

captcha.qq.com/cap_union_new_gettype?aid=710032918&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&uid=

captcha.qq.com/cap_union_new_show?aid=710032918&asig=&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

/cap_union_new_getcapbysig?aid=710032918&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

websig:"

&pt_randsalt=0&ptredirect=0&u1=http://bbs.lol.qq.com/member.php?mod=logging&action=loginsucc&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=

ptlogin2.qq.com/login?u=

captcha.qq.com/cap_union_new_verify?random=

&websig=

aid=710032918&asig=&captype=&protocol=http&clientype=2&disturblevel=&apptype=2&curenv=inner&sess=

aq.qq.com

while (z   aD < aC.length) {

t  = aC.substring(z, z   aD)   "\n";

return t   aC.substring(z, aC.length)

return "0"   t.toString(16)

return t.toString(16)

if (aG < aD.length   11) {

var aC = aD.length - 1;

var aE = aD.charCodeAt(aC--);

z.nextBytes(t)

this.dmp1 = null;

this.dmq1 = null;

this.coeff = null

if (z != null && t != null && z.length > 0 && t.length > 0) {

uv_alert("Invalid RSA public key")

return t.modPowInt(this.e, this.n)

var t = ah(aC, (this.n.bitLength()   7) >> 3);

var aD = this.doPublic(t);

var z = aD.toString(16);

if ((z.length & 1) == 0) {

N.prototype.doPublic = Y;

N.prototype.setPublic = q;

N.prototype.encrypt = r;

this.fromNumber(z, t, aC)

this.fromString(z, 256)

this.fromString(z, t)

aG = Math.floor(aC / 67108864);

au.prototype.am = aA;

au.prototype.DB = ay;

au.prototype.DM = ((1 << ay) - 1);

au.prototype.DV = (1 << ay);

au.prototype.FV = Math.pow(2, ac);

au.prototype.F1 = ac - ay;

au.prototype.F2 = 2 * ay - ac;

ar = "0".charCodeAt(0);

ar = "a".charCodeAt(0);

ar = "A".charCodeAt(0);

return ag.charAt(t)

var aC = ai[z.charCodeAt(t)];

z.fromInt(t);

this.fromRadix(aG, z);

var aF = aG.length,

if (aG.charAt(aF) == "-") {

if (aE   aD > this.DB) {

this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;

this[this.t  ] = (t >> (this.DB - aE))

if (aE >= this.DB) {

aE -= this.DB

this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE

this.clamp();

au.ZERO.subTo(this, this)

var t = this.s & this.DM;

return "-"   this.negate().toString(z)

return this.toRadix(z)

var aG = this.DB - (aD * this.DB) % aC;

if (aG < this.DB && (aH = this[aD] >> aG) > 0) {

aH |= this[--aD] >> (aG  = this.DB - aC)

aG  = this.DB; --aD

au.ZERO.subTo(this, t);

return (this.s < 0) ? this.negate() : this

return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))

z.t = Math.max(this.t - aC, 0);

var z = aH % this.DB;

var t = this.DB - z;

var aE = Math.floor(aH / this.DB),

aG = (this.s << z) & this.DM,

aD.clamp()

var aE = Math.floor(aG / this.DB);

var z = aG % this.DB;

t = Math.min(z.t, this.t);

aD[aC  ] = aE & this.DM;

aE >>= this.DB

aD[aC  ] = aE & this.DM;

aE >>= this.DB

aD[aC  ] = this.DV   aE

var t = this.abs(),

aE = z.abs();

aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)

aD.clamp();

au.ZERO.subTo(aD, aD)

var t = this.abs();

var aD = t.am(z, t[z], aC, 2 * z, 0, 1);

if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {

aC[z   t.t] -= t.DV;

aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)

aC.clamp()

var aQ = aK.abs();

var aI = this.abs();

aH.fromInt(0)

this.copyTo(aG)

var aP = this.DB - l(aQ[aQ.t - 1]);

aQ.lShiftTo(aP, aE);

aI.lShiftTo(aP, aG)

aQ.copyTo(aE);

aI.copyTo(aG)

var aT = this.FV / aL,

aE.dlShiftTo(aN, aF);

if (aG.compareTo(aF) >= 0) {

aG.subTo(aF, aG)

au.ONE.dlShiftTo(aM, aF);

aF.subTo(aE, aE);

var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);

if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {

aE.dlShiftTo(aN, aF);

aG.subTo(aF, aG);

aG.subTo(aF, aG)

aG.drShiftTo(aM, aH);

au.ZERO.subTo(aH, aH)

aG.clamp();

aG.rShiftTo(aP, aG)

au.ZERO.subTo(aG, aG)

this.abs().divRemTo(t, null, z);

if (this.s < 0 && z.compareTo(au.ZERO) > 0) {

t.subTo(z, z)

if (t.s < 0 || t.compareTo(this.m) >= 0) {

return t.mod(this.m)

t.divRemTo(this.m, null, t)

t.multiplyTo(aC, z);

this.reduce(z)

t.squareTo(z);

M.prototype.convert = X;

M.prototype.revert = am;

M.prototype.reduce = L;

M.prototype.mulTo = J;

M.prototype.sqrTo = aw;

z = (z * (2 - t * z % this.DV)) % this.DV;

return (z > 0) ? this.DV - z: -z

this.mp = t.invDigit();

this.mpl = this.mp & 32767;

this.mph = this.mp >> 15;

this.um = (1 << (t.DB - 15)) - 1;

this.mt2 = 2 * t.t

t.abs().dlShiftTo(this.m.t, z);

z.divRemTo(this.m, null, z);

if (t.s < 0 && z.compareTo(au.ZERO) > 0) {

this.m.subTo(z, z)

t.copyTo(z);

this.reduce(z);

while (t.t <= this.mt2) {

var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;

t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);

while (t[z] >= t.DV) {

t[z] -= t.DV;

t.clamp();

t.drShiftTo(this.m.t, t);

if (t.compareTo(this.m) >= 0) {

t.subTo(this.m, t)

g.prototype.convert = al;

g.prototype.revert = av;

g.prototype.reduce = R;

g.prototype.mulTo = B;

g.prototype.sqrTo = ao;

return au.ONE

aF = aI.convert(this),

aF.copyTo(aG);

aI.sqrTo(aG, aC);

aI.mulTo(aC, aF, aG)

return aI.revert(aG)

if (aC < 256 || t.isEven()) {

return this.exp(aC, aD)

au.prototype.copyTo = aa;

au.prototype.fromInt = p;

au.prototype.fromString = y;

au.prototype.clamp = Q;

au.prototype.dlShiftTo = at;

au.prototype.drShiftTo = Z;

au.prototype.lShiftTo = v;

au.prototype.rShiftTo = n;

au.prototype.subTo = ad;

au.prototype.multiplyTo = F;

au.prototype.squareTo = S;

au.prototype.divRemTo = G;

au.prototype.invDigit = D;

au.prototype.isEven = k;

au.prototype.exp = A;

au.prototype.toString = s;

au.prototype.negate = T;

au.prototype.abs = an;

au.prototype.compareTo = I;

au.prototype.bitLength = w;

au.prototype.mod = P;

au.prototype.modPowInt = ap;

au.ZERO = c(0);

au.ONE = c(1);

d(new Date().getTime())

/*if(navigator.appName=="Netscape"&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){ var H=window.crypto.random(32); for(K=0; K<H.length;   K){ W[ae  ]=H.charCodeAt(K)&255 } }*/

K = Math.floor(65536 * Math.random());

o.init(W);

for (ae = 0; ae < W.length;   ae) {

return o.next()

for (t = 0; t < z.length;   t) {

af.prototype.nextBytes = ax;

z = (z   this.S[aD]   aE[aD % aE.length]) & 255;

m.prototype.init = f;

m.prototype.next = a;

t.setPublic(aC, z);

return t.encrypt(aD)

return Math.round(Math.random() * 4294967295)

for (var B = 0; B < D.length; B  ) {

var C = Number(D[B]).toString(16);

if (C.length == 1) {

for (var A = 0; A < B.length; A  = 2) {

C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))

for (var A = 0; A < C.length; A  ) {

B[A] = C.charCodeAt(A)

var A = C.length;

var A = E.length;

for (var C = 0; C < B.length; C  ) {

var A = u.length;

for (var B = 0; B < E.length; B  ) {

C[B] = E.charCodeAt(B) & 255

for (var B = 0; B < E.length; B  = 2) {

C[A  ] = parseInt(E.substr(B, 2), 16)

for (var B = 0; B < C.length; B  ) {

A  = String.fromCharCode(C[B])

return d.encode(A)

initkey: function(A, B) {

d.PADCHAR = "=";

d.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";

d.getbyte = function(C, B) {

var A = C.charCodeAt(B);

d.encode = function(E) {

if (arguments.length != 1) {

var B = d.PADCHAR;

var G = d.ALPHA;

var F = d.getbyte;

var C = E.length - E.length % 3;

if (E.length == 0) {

A.push(G.charAt(H >> 18));

A.push(G.charAt((H >> 12) & 63));

A.push(G.charAt((H >> 6) & 63));

A.push(G.charAt(H & 63))

switch (E.length - C) {

A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);

A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);

return A.join("")

return binl2hex(core_md5(str2binl(s), s.length * chrsz))

return binl2str(core_md5(str2binl(s), s.length * chrsz))

function hex_hmac_md5(key, data) {

return binl2hex(core_hmac_md5(key, data))

function b64_hmac_md5(key, data) {

return binl2b64(core_hmac_md5(key, data))

function str_hmac_md5(key, data) {

return binl2str(core_hmac_md5(key, data))

for (var i = 0; i < x.length; i  = 16) {

function core_hmac_md5(key, data) {

var bkey = str2binl(key);

if (bkey.length > 16) {

bkey = core_md5(bkey, key.length * chrsz)

ipad[i] = bkey[i] ^ 909522486;

opad[i] = bkey[i] ^ 1549556828

var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);

return core_md5(opad.concat(hash), 512   128)

for (var i = 0; i < str.length * chrsz; i  = chrsz) {

bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)

for (var i = 0; i < bin.length * 32; i  = chrsz) {

str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)

for (var i = 0; i < binarray.length * 4; i  ) {

str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)

for (var i = 0; i < binarray.length * 4; i  = 3) {

if (i * 8   j * 6 > binarray.length * 32) {

str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)

for (var i = 0; i < str.length; i = i   2) {

arr.push("\\x"   str.substr(i, 2))

arr = arr.join("");

if (Math.random() > (probability || 1)) {

var url = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   mid;

var s = document.createElement("img");

s.src = url;

function getEncryption(password, salt, vcode) {

var md5Pwd = md5(password),

rsaH1 = RSA.rsa_encrypt(h1),

rsaH1Len = (rsaH1.length / 2).toString(16),

hexVcode = TEA.strToBytes(vcode.toUpperCase()),

vcodeLen = "000"   vcode.length.toString(16);

while (rsaH1Len.length < 4) {

TEA.initkey(s2);

var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);

TEA.initkey("");

return saltPwd.replace(/[\/\ =]/g,

"/": "-",

" ": "*",

"=": "_"

{pass}

getEncryption("{pass}","{salt}","{code}")

keyvalue

hXXp://captcha.qq.com/cap_union_new_show

hXXp://ui.ptlogin2.qq.com/cgi-bin/login

keyboards

keyUpCnt

keyUpValue

focusBlur.in

focusBlur.out

1920-1080-1040-24-96-96-1

_0xf21cxa["keyvalue"] = [];

var _0xf21cx15 = ["mousemove", "mouseclick", "keyvalue", "user_Agent", "resolutionx", "resolutiony", "url", "refer", "begintime", "endtime", "platform", "os", "keyboards", "flash", "pluginNum", "index", "ptcz", "tokenid"];

_0xf21cx19["cutUrl"] = _0xf21cx45;

_0xf21cx4c["push"]((_0xf21cx5e >>> 4).toString(16));

_0xf21cx4c["push"]((_0xf21cx5e & 15).toString(16))

return _0xf21cx4c["join"]("")

return _0xf21cx53["join"]("")

_0xf21cx54["HmacMD5"] = _0xf21cx57._createHmacHelper(_0xf21cx55)

keySize: 4,

for (var _0xf21cx40 = this["cfg"], _0xf21cx43 = _0xf21cx40["hasher"]["create"](), _0xf21cx58 = _0xf21cx31["create"](), _0xf21cx52 = _0xf21cx58["words"], _0xf21cx5a = _0xf21cx40["keySize"], _0xf21cx40 = _0xf21cx40["iterations"]; _0xf21cx52["length"] < _0xf21cx5a;) {

this["_key"] = _0xf21cx5b;

keySize: 4,

return (_0xf21cx5b ? _0xf21cx43["create"]([1398893684, 1701076831])["concat"](_0xf21cx5b)["concat"](_0xf21cx58) : _0xf21cx58).toString(_0xf21cx55)

key: _0xf21cx5c,

keySize: _0xf21cx58   _0xf21cx5c

key: _0xf21cx5b,

_0xf21cx5c = _0xf21cx53["PasswordBasedCipher"] = _0xf21cx5b["extend"]({

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"]);

_0xf21cx58 = _0xf21cx5b["encrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31);

_0xf21cx53 = _0xf21cx31["kdf"]["execute"](_0xf21cx53, _0xf21cx58["keySize"], _0xf21cx58["ivSize"], _0xf21cx5c["salt"]);

return _0xf21cx5b["decrypt"]["call"](this, _0xf21cx58, _0xf21cx5c, _0xf21cx53["key"], _0xf21cx31)

for (var _0xf21cx5b = this["_key"], _0xf21cx5c = _0xf21cx5b["words"], _0xf21cx53 = _0xf21cx5b["sigBytes"] / 4, _0xf21cx5b = 4 * ((this["_nRounds"] = _0xf21cx53   6)   1), _0xf21cx4c = this["_keySchedule"] = [], _0xf21cx5d = 0; _0xf21cx5d < _0xf21cx5b; _0xf21cx5d  ) {

_0xf21cx5c = this["_invKeySchedule"] = [];

this._doCryptBlock(_0xf21cx5b, _0xf21cx58, this._keySchedule, _0xf21cx54, _0xf21cx55, _0xf21cx56, _0xf21cx57, _0xf21cx31)

this._doCryptBlock(_0xf21cx5b, _0xf21cx5c, this._invKeySchedule, _0xf21cx58, _0xf21cx59, _0xf21cx5a, _0xf21cx5f, _0xf21cx43);

keySize: 8

return this.valueOf()

return isFinite(this.valueOf()) ? this["getUTCFullYear"]()   "-"   _0xf21cx66(this["getUTCMonth"]()   1)   "-"   _0xf21cx66(this["getUTCDate"]())   "T"   _0xf21cx66(this["getUTCHours"]())   ":"   _0xf21cx66(this["getUTCMinutes"]())   ":"   _0xf21cx66(this["getUTCSeconds"]())   "Z": null

return typeof _0xf21cx5c === "string" ? _0xf21cx5c: "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "[]": _0xf21cx75 ? "["   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "]": "["   _0xf21cx7e["join"](",")   "]";

_0xf21cx57 = _0xf21cx7e["length"] === 0 ? "{}": _0xf21cx75 ? "{"   _0xf21cx75   _0xf21cx7e["join"](","   _0xf21cx75)   ""   _0xf21cx7d   "}": "{"   _0xf21cx7e["join"](",")   "}";

throw new Error("JSON.stringify")

return "\\u"   ("0000"   _0xf21cx5b["charCodeAt"](0).toString(16))["slice"]( - 4)

throw new SyntaxError("JSON.parse")

_0xf21cxb7["push"]("["   _0xf21cx5b   "] "   _0xf21cxb9(_0xf21cx58["message"] && (_0xf21cx58["name"] || "Error")   ": "   _0xf21cx58["message"] || _0xf21cx58.toString()))

var _0xf21cxbe = "Symbol;Arial;Courier New;Times New Roman;Georgia;Trebuchet MS;Verdana;Impact;Comic Sans MS;Webdings;Tahoma;Microsoft Sans Serif;Wingdings;Arial Black;Lucida Console;Marlett;Lucida Sans Unicode;Courier;Franklin Gothic Medium;Palatino Linotype" ["split"](";");

this)["join"](";")

var _0xf21cxc3 = ["ShockwaveFlash.ShockwaveFlash", "AcroPDF.PDF", "PDF.PdfCtrl", "QuickTime.QuickTime", "rmocx.RealPlayer G2 Control", "rmocx.RealPlayer G2 Control.1", "RealPlayer.RealPlayer(tm) ActiveX Control (32-bit)", "RealVideo.RealVideo(tm) ActiveX Control (32-bit)", "RealPlayer", "SWCtl.SWCtl", "WMPlayer.OCX", "AgControl.AgControl", "Skype.Detection"];

})["join"](";")

_0xf21cxc6 = _0xf21cxc2 ? _0xf21cxc2["Shockwave Flash"]["description"] : new ActiveXObject("ShockwaveFlash.ShockwaveFlash").GetVariable("$version")["replace"](",", ".")

return !! window["indexedDB"]

_0xf21cx5c["bSupportLocalStorage"] = _0xf21cxc9;

_0xf21cx5c["reportError"] = _0xf21cxb8;

_0xf21cxb6["reportError"]("cIPT", e)

_0xf21cx100["src"] = "hXXps://bsp.qcloud.qq.com/v2/index.php"   _0xf21cx46

_0xf21cxa["keyvalue"]["length"] = _0xf21cxd["length"] = 0

_0xf21cxa["url"] = _0xf21cx49;

_0xf21cxa["keyboards"] = _0xf21cxb;

_0xf21cxa["keyUpCnt"] = _0xf21cxc;

_0xf21cxa["keyUpValue"] = _0xf21cxd;

_0xf21cxa["keyvalue"] = [];

return _0xf21cx30 ? encodeURIComponent(_0xf21cx108.toString()) : "?Action=WebInfo&siteKey="   encodeURIComponent('<$=siteKey%>')   "&content="   encodeURIComponent(_0xf21cx108.toString())

_0xf21cxa["keyvalue"]["push"](_0xf21cxb2)

var _0xf21cx12d = (navigator["platform"] == "Win32") || (navigator["platform"] == "Windows");

var _0xf21cx132 = _0xf21cx12c["indexOf"]("Windows NT 5.0") > -1 || _0xf21cx12c["indexOf"]("Windows 2000") > -1;

var _0xf21cx133 = _0xf21cx12c["indexOf"]("Windows NT 5.1") > -1 || _0xf21cx12c["indexOf"]("Windows XP") > -1;

var _0xf21cx134 = _0xf21cx12c["indexOf"]("Windows NT 5.2") > -1 || _0xf21cx12c["indexOf"]("Windows 2003") > -1;

var _0xf21cx135 = _0xf21cx12c["indexOf"]("Windows NT 6.0") > -1 || _0xf21cx12c["indexOf"]("Windows Vista") > -1;

var _0xf21cx136 = _0xf21cx12c["indexOf"]("Windows NT 6.1") > -1 || _0xf21cx12c["indexOf"]("Windows 7") > -1;

var _0xf21cx13a = /firefox\/[\d.] /gi;

var _0xf21cx13b = /chrome\/[\d.] /gi;

return _0xf21cx138["match"](_0xf21cx139)["join"]("")

if (_0xf21cx138["indexOf"]("firefox") > 0) {

return _0xf21cx138["match"](_0xf21cx13a)["join"]("")

if (_0xf21cx138["indexOf"]("chrome") > 0) {

return _0xf21cx138["match"](_0xf21cx13b)["join"]("")

if (_0xf21cx138["indexOf"]("safari") > 0 && _0xf21cx138["indexOf"]("chrome") < 0) {

return _0xf21cx138["match"](_0xf21cx13c)["join"]("")

var _0xf21cx140 = new ActiveXObject("ShockwaveFlash.ShockwaveFlash");

VSwf = _0xf21cx140.GetVariable("$version");

return encodeURIComponent(_0xf21cx108.toString());

var begintime = Math.floor(new Date().getTime() / 1000);

var keyUpCnt = 4;

var tokenid=Math.floor(Math.random()*2067831491 3565063022);

var ip=Math.floor(Math.random()*245 10);

var t1 = Math.floor(new Date().getTime() / 1000);

var endtime = new Date().getTime();

endtime = Math.floor(endtime / 1000);

var focusBlur_t = Math.floor(Math.random() * 980   1469);

var m_x = 238   Math.floor(Math.random() * 5   1);

var m_y = 141   Math.floor(Math.random() * 5   1);

var m_x1 = 179   Math.floor(Math.random() * 5   1);

var m_y1 = 280   Math.floor(Math.random() * 5   1);

var data = '{"mousemove":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseclick":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '}],"keyvalue":['   t1   ','   t1   ','   t3   ','   t3   '],"user_Agent":"safari/601.1","resolutionx":375,"resolutiony":667,"winSize":[375,667],"url":"hXXp://captcha.qq.com/cap_union_new_show","refer":"hXXp://ui.ptlogin2.qq.com/cgi-bin/login","begintime":'   begintime   ',"endtime":'   endtime   ',"platform":2,"os":"IOS","keyboards":4,"flash":0,"pluginNum":0,"index":'   code_cnt1   ',"ptcz":"","tokenid":'   tokenid   ',"btokenid":null,"tokents":'   begintime   ',"ips":{"in":["'   ip   '"]},"colorDepth":24,"cookieEnabled":true,"timezone":8,"wDelta":0,"keyUpCnt":'   keyUpCnt   ',"keyUpValue":['   t1   ','   t1   ','   t3   ','   t3   '],"mouseUpValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseUpCnt":'   mouseUpCnt   ',"mouseDownValue":[{"t":'   t1   ',"x":'   m_x   ',"y":'   m_y   '},{"t":'   t2   ',"x":'   m_x1   ',"y":'   m_y1   '}],"mouseDownCnt":'   mouseUpCnt   ',"orientation":[{"x":0,"y":0,"z":0},{"x":0,"y":0,"z":0}],"bSimutor":0,"focusBlur":{"in":['   focusBlur_in   '],"out":['   focusBlur_in   '],"t":['   focusBlur_t   ']},"fVersion":0,"charSet":"UTF-8","resizeCnt":0,"errors":[],"screenInfo":"375-667-667-24-*-*-*","elapsed":0,"clientType":"1","refreshcnt":'   code_cnt   ',"trycnt":'   code_cnt1   ',"jshook":4}';

keyUpCnt  = 4;

&password=

hXXp://api2.sz789.net:88/RecvByte.ashx

hXXp://api2.sz789.net:88/ReportError.ashx

hXXp://api2.sz789.net:88/GetUserInfo.ashx

Content-Disposition: form-data; name="password"

{password}

Content-Disposition: form-data; name="softkey"

{softkey}

hXXp://api.ruokuai.com/create.json

hXXp://api.ruokuai.com/reporterror.json

hXXp://api.ruokuai.com/info.json

&softkey=

Content-Disposition: form-data; name="image"; filename="System.Byte[]"

Content-Disposition: form-data; name="soft_key"

{soft_key}

Content-Disposition: form-data; name="image_path"; filename="{filename}.png"

hXXp://ff.zhima365.com/zmdemo_php/http_api.php

type=report_error&pic_id=

hXXp://ff.killma.com/kmdemo_php/http_api.php

hXXp://hzapi.jysnd.com

hXXp://hzapi1.jysnd.com

:10680/?cmd=upload&user=

:10681/?cmd=query&id=

:10683/?cmd=querybalance&user=

:10682/?cmd=reporterror&id=

SetClientCertificate

admin@52dfg.com

5ugg%u

09/27/12

admin@52dfg.com

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

1.2.18

? deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

?456789:;<=

!"#$%&'()* ,-./0123

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WININET.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

VVV.dywt.com.cn

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

(%S)%M%D %y-%m-%d

After RemoveDC(), pen counter: %d, bursh counter: %d, font counter: %d

!!! Create pen ERROR! ErrNo.[%d]

  Create pen No.%d

!!! Create brush ERROR! ErrNo.[%d]

  Create brush No.%d

!!! Create font ERROR! ErrNo.[%d]

  Create font No.%d

- Delete pen No.%d

- Delete brush No.%d

- Delete font No.%d

TrayIcon event: %x

hXXp://VVV.eyuyan.com

service@dywt.com.cn

 86(0411)39895834

 86(0411)39895831

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

DelAllKeyValues

DelKeyValue

GetAllKeys

GetKeyValue

AddKeyValue

DSGetErrMsg

BiTreeGetCurNodeKey

ListGetCurNodeKey

ListUpdateNodeFromKey

ListRemoveNodeFromKey

edatastructure_fnMapDelAllKeyValues

edatastructure_fnMapDelKeyValue

edatastructure_fnMapGetAllKeys

edatastructure_fnMapGetKeyValue

edatastructure_fnMapAddKeyValue

edatastructure_fnBiTreeGetCurNodeKey

edatastructure_fnListGetCurNodeKey

edatastructure_fnListUpdateNodeFromKey

edatastructure_fnListRemoveNodeFromKey

1.1.4

(*.htm;*.html)|*.htm;*.html

its:%s::%s

%d%d%d

rundll32.exe shell32.dll,

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

SQLite

SQLite3 Database Library

3.8.8.2

SQLite3

1, 0, 6, 6

- Skin.dll

(*.*)

%original file name%.exe_3700_rwx_00783000_00003000:

MSVCRT.dll

IPHLPAPI.DLL

PSAPI.DLL

KERNEL32.dll

%original file name%.exe_3700_rwx_00787000_00002000:

MSVCRT.dll

KERNEL32.dll

ADVAPI32.dll

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

USER32.dll

SHELL32.dll

%original file name%.exe_3700_rwx_0081F000_000D5000:

KERNEL32.dll

USER32.dll

ADVAPI32.dll

WS2_32.dll

OLEAUT32.dll

ole32.dll

GDI32.dll

SHELL32.dll

WINMM.dll

WINSPOOL.DRV

COMCTL32.dll

AVIFIL32.dll

MSVFW32.dll

.afVf

#_g.ZV

comdlg32.dll

oledlg.dll

m-CX}3

m^.HG

7k.HG

m-C5}

'P.zG

%original file name%.exe_3700_rwx_008F6000_00002000:

GDI32.dll

RegisterHotKey

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

.SelectPalette

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

ole32.dll

m|WINSPOOL.DRV

comdlg32.dll

ADVAPI32.dll

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

SHELL32.dll

ShellExecuteA

COMCTL32.dll

oledlg.dll

OLEAUT32.dll

MSVCRT.dll

&QPSAPI.DLL

IPHLPAPI.DLL

Safengine Shielden v2.3.9.0

%original file name%.exe_3700_rwx_016E0000_0004C000:

KERNELBASE.dll

BaseGetProcessExePath

BaseReleaseProcessExePath

ConnectNamedPipe

CreateIoCompletionPort

CreateMutexExA

CreateMutexExW

CreateNamedPipeW

CreatePipe

DisconnectNamedPipe

EnumCalendarInfoExEx

EnumDateFormatsExEx

GetCPFileNameFromRegistry

GetCPHashNode

GetCPInfo

GetCPInfoExW

GetNamedPipeAttribute

GetNamedPipeClientComputerNameW

GetProcessHeap

GetProcessHeaps

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryW

GetWindowsAccountDomainSid

GetWindowsDirectoryA

GetWindowsDirectoryW

ImpersonateNamedPipeClient

NeedCurrentDirectoryForExePathA

NeedCurrentDirectoryForExePathW

OpenRegKey

PeekNamedPipe

SetNamedPipeHandleState

SetProcessShutdownParameters

TransactNamedPipe

WaitNamedPipeW

NTDLL.RtlAcquireSRWLockExclusive

NTDLL.RtlAcquireSRWLockShared

NTDLL.TpCancelAsyncIoOperation

NTDLL.TpReleasePool

NTDLL.TpReleaseCleanupGroup

NTDLL.TpReleaseCleanupGroupMembers

NTDLL.TpReleaseIoCompletion

NTDLL.TpReleaseTimer

NTDLL.TpReleaseWait

NTDLL.TpReleaseWork

NTDLL.RtlDecodePointer

NTDLL.RtlDecodeSystemPointer

NTDLL.RtlDeleteCriticalSection

NTDLL.TpDisassociateCallback

NTDLL.RtlEncodePointer

NTDLL.RtlEncodeSystemPointer

NTDLL.RtlEnterCriticalSection

NTDLL.RtlExitUserThread

NTDLL.NtFlushProcessWriteBuffers

NTDLL.TpCallbackUnloadDllOnCompletion

NTDLL.RtlAllocateHeap

NTDLL.RtlFreeHeap

NTDLL.RtlReAllocateHeap

NTDLL.RtlSizeHeap

NTDLL.RtlInitializeCriticalSection

NTDLL.RtlInitializeSListHead

NTDLL.RtlInitializeSRWLock

NTDLL.RtlInterlockedCompareExchange64

NTDLL.RtlInterlockedFlushSList

NTDLL.RtlInterlockedPopEntrySList

NTDLL.RtlInterlockedPushEntrySList

NTDLL.RtlInterlockedPushListSList

NTDLL.TpIsTimerSet

NTDLL.RtlLeaveCriticalSection

NTDLL.TpCallbackLeaveCriticalSectionOnCompletion

NTDLL.RtlQueryDepthSList

NTDLL.RtlQueryPerformanceCounter

NTDLL.RtlQueryPerformanceFrequency

NTDLL.TpCallbackReleaseMutexOnCompletion

NTDLL.RtlReleaseSRWLockExclusive

NTDLL.RtlReleaseSRWLockShared

NTDLL.TpCallbackReleaseSemaphoreOnCompletion

NTDLL.RtlSetCriticalSectionSpinCount

NTDLL.TpCallbackSetEventOnCompletion

NTDLL.RtlSetLastWin32Error

NTDLL.TpSetPoolMaxThreads

NTDLL.TpSetTimer

NTDLL.TpSetWait

NTDLL.TpStartAsyncIoOperation

NTDLL.TpPostWork

NTDLL.RtlTryAcquireSRWLockExclusive

NTDLL.RtlTryAcquireSRWLockShared

NTDLL.RtlTryEnterCriticalSection

NTDLL.TpWaitForIoCompletion

NTDLL.TpWaitForTimer

NTDLL.TpWaitForWait

NTDLL.TpWaitForWork

%X@Qu

yNuw.Ou8wNu

j.Xf;

PSSSSSSh

PSSSSSSSh

SSSSh

VWSSh

SXS: %s failing because RtlQueryInformationActivationContext() returned status lx

SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx

SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx

%s - Failing thread create because RtlAllocateActivationContextStack() failed with status lx

PVWSSh

QSSSSh

`VSSSSh

t9VSSSSh

SXS: %s - Failure getting active activation context; ntstatus lx

@$?.Pu

x0-u%f

j.Yf;

t.Ht!HHt

t.HHt#

?456789:;<=

!"#$%&'()* ,-./0123

ntdll.dll

NtCreateNamedPipeFile

NtDelayExecution

NtQueryValueKey

NtOpenKey

RtlReportSilentProcessExit

NtYieldExecution

RtlGetProcessHeaps

NtSetValueKey

NtEnumerateValueKey

NtCreateKey

NtDeleteKey

NtEnumerateKey

NtNotifyChangeKey

NtDeleteValueKey

NtQueryMultipleValueKey

kernelbase.pdb

-Pu?.Pu-iNu

4"4@4^4|4

9-9I9e9}9

Allow flag to be passed with CreateFile call that indicates to perform downgrade if applicable.

kernel32.dll

\Windows

\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters

NoDefaultCurrentDirectoryInExePath

%s\%x\%s

netmsg.dll

sShortTime

sShortDate

\\.\MountPointManager

\Device\NamedPipe\

\DosDevices\pipe\

\\.\pipe\

pipe\

\\?\UNC

WUSER32.DLL

\\?\UNC\

\\?\GLOBALROOT

0123456789

%s%s%s

Windows NT BASE API Client DLL

6.1.7601.17651 (win7sp1_gdr.110715-1504)

Windows

Operating System

6.1.7601.17651

%original file name%.exe_3700_rwx_01830000_0013D000:

8SsHd

d:\win7sp1_gdr\minkernel\threadpool\ntdll\cgrp.c

<P.tmB;

TppWorkpExecuteCallback

TppSimplepExecuteCallback

d:\win7sp1_gdr\minkernel\threadpool\ntdll\simple.c

d:\win7sp1_gdr\minkernel\threadpool\ntdll\io.c

SsHd;

_CorExeMain

tùp

!wSSh

d:\win7sp1_gdr\minkernel\threadpool\ntdll\waiter.c

TppWaitpExecuteCallback

TppTimerpExecuteCallback

d:\win7sp1_gdr\minkernel\threadpool\ntdll\cgrpmem.c

d:\win7sp1_gdr\minkernel\threadpool\ntdll\lpc.c

TppAlpcpExecuteCallback

d:\win7sp1_gdr\minkernel\threadpool\ntdll\callback.c

ntdll.dll

EtwpGetCpuSpeed

EvtIntReportAuthzEventAndSourceAsync

EvtIntReportEventAndSourceAsync

LdrOpenImageFileOptionsKey

LdrQueryImageFileExecutionOptions

LdrQueryImageFileExecutionOptionsEx

LdrQueryImageFileKeyOption

NtAcceptConnectPort

NtAlpcAcceptConnectPort

NtAlpcConnectPort

NtAlpcCreatePort

NtAlpcCreatePortSection

NtAlpcDeletePortSection

NtAlpcDisconnectPort

NtAlpcImpersonateClientOfPort

NtAlpcSendWaitReceivePort

NtCompactKeys

NtCompleteConnectPort

NtCompressKey

NtConnectPort

NtCreateKey

NtCreateKeyTransacted

NtCreateKeyedEvent

NtCreateNamedPipeFile

NtCreatePort

NtCreateWaitablePort

NtDelayExecution

NtDeleteKey

NtDeleteValueKey

NtEnumerateKey

NtEnumerateValueKey

NtFlushKey

NtImpersonateClientOfPort

NtListenPort

NtLoadKey

NtLoadKey2

NtLoadKeyEx

NtLockProductActivationKeys

NtLockRegistryKey

NtNotifyChangeKey

NtNotifyChangeMultipleKeys

NtOpenKey

NtOpenKeyEx

NtOpenKeyTransacted

NtOpenKeyTransactedEx

NtOpenKeyedEvent

NtQueryInformationPort

NtQueryKey

NtQueryMultipleValueKey

NtQueryOpenSubKeys

NtQueryOpenSubKeysEx

NtQueryPortInformationProcess

NtQueryValueKey

NtRegisterThreadTerminatePort

NtReleaseKeyedEvent

NtRenameKey

NtReplaceKey

NtReplyPort

NtReplyWaitReceivePort

NtReplyWaitReceivePortEx

NtReplyWaitReplyPort

NtRequestPort

NtRequestWaitReplyPort

NtRestoreKey

NtSaveKey

NtSaveKeyEx

NtSaveMergedKeys

NtSecureConnectPort

NtSetDefaultHardErrorPort

NtSetInformationKey

NtSetThreadExecutionState

NtSetValueKey

NtUnloadKey

NtUnloadKey2

NtUnloadKeyEx

NtWaitForKeyedEvent

NtYieldExecution

RtlCheckRegistryKey

RtlCmDecodeMemIoResource

RtlComputeImportTableHash

RtlCreateRegistryKey

RtlEnumProcessHeaps

RtlFormatCurrentUserKeyPath

RtlGetProcessHeaps

RtlIsCurrentThreadAttachExempt

RtlQueryProcessHeapInformation

RtlReportException

RtlReportSilentProcessExit

RtlReportSqmEscalation

RtlRunOnceExecuteOnce

RtlSendMsgToSm

RtlValidateProcessHeaps

RtlWerpReportException

RtlpCleanupRegistryKeys

RtlpNtCreateKey

RtlpNtEnumerateSubKey

RtlpNtMakeTemporaryKey

RtlpNtOpenKey

RtlpNtQueryValueKey

RtlpNtSetValueKey

SbExecuteProcedure

ShipAssert

ShipAssertGetBufferInfo

ShipAssertMsgA

ShipAssertMsgW

TpCancelAsyncIoOperation

TpStartAsyncIoOperation

WerReportSQMEvent

ZwAcceptConnectPort

ZwAlpcAcceptConnectPort

ZwAlpcConnectPort

ZwAlpcCreatePort

ZwAlpcCreatePortSection

ZwAlpcDeletePortSection

ZwAlpcDisconnectPort

ZwAlpcImpersonateClientOfPort

ZwAlpcSendWaitReceivePort

ZwCompactKeys

ZwCompleteConnectPort

ZwCompressKey

ZwConnectPort

ZwCreateKey

ZwCreateKeyTransacted

ZwCreateKeyedEvent

ZwCreateNamedPipeFile

ZwCreatePort

ZwCreateWaitablePort

ZwDelayExecution

ZwDeleteKey

ZwDeleteValueKey

ZwEnumerateKey

ZwEnumerateValueKey

ZwFlushKey

ZwImpersonateClientOfPort

ZwListenPort

ZwLoadKey

ZwLoadKey2

ZwLoadKeyEx

ZwLockProductActivationKeys

ZwLockRegistryKey

ZwNotifyChangeKey

ZwNotifyChangeMultipleKeys

ZwOpenKey

ZwOpenKeyEx

ZwOpenKeyTransacted

ZwOpenKeyTransactedEx

ZwOpenKeyedEvent

ZwQueryInformationPort

ZwQueryKey

ZwQueryMultipleValueKey

ZwQueryOpenSubKeys

ZwQueryOpenSubKeysEx

ZwQueryPortInformationProcess

ZwQueryValueKey

ZwRegisterThreadTerminatePort

ZwReleaseKeyedEvent

ZwRenameKey

ZwReplaceKey

ZwReplyPort

ZwReplyWaitReceivePort

ZwReplyWaitReceivePortEx

ZwReplyWaitReplyPort

ZwRequestPort

ZwRequestWaitReplyPort

ZwRestoreKey

ZwSaveKey

ZwSaveKeyEx

ZwSaveMergedKeys

ZwSecureConnectPort

ZwSetDefaultHardErrorPort

ZwSetInformationKey

ZwSetThreadExecutionState

ZwSetValueKey

ZwUnloadKey

ZwUnloadKey2

ZwUnloadKeyEx

ZwWaitForKeyedEvent

ZwYieldExecution

.txt2

secserv.dll

.sforce

.pcle

.aspack

Set 0x%X protection for %p section for %d bytes, old protection 0x%X

CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions

x:x @ d - %s - %s:

d:\win7sp1_gdr\minkernel\ntdll\ldrapi.c

d:\win7sp1_gdr\minkernel\ntdll\ldrfind.c

Changing the protection of the executable at %p failed with status 0xlx

d:\win7sp1_gdr\minkernel\ntdll\ldrinit.c

Exception record: .exr %p

Context record: .cxr %p

Process 0x%x (%wZ) exiting

Could not locate procedure "%s" in the shim engine DLL

LdrpInitializeExecutionOptions

Running the init routines of the executable's static imports failed with status 0xlx

Loading Windows subsystem DLL "%wZ" failed with status 0xlx

Walking the import tables of the executable and its static imports failed with status 0xlx

Locating procedure "%Z" in Windows subsystem DLL "%wZ" failed with status 0xlx

Beginning execution of %wZ (%wZ)

Allocating a data table entry for the executable failed

Initializing the execution options for the process %lx failed with status 0xlx

Delaying execution failed with status 0xlx

d:\win7sp1_gdr\minkernel\ntdll\ldrsnap.c

LdrpLoadImportModule

DLL name: %s DLL path: %wZ

Calling the Windows subsystem post-import routine %p failed with status 0xlx

Procedure "%s" could not be located in DLL "%s"

Ordinal 0x%lx could not be located in DLL "%s"

Hint index 0x%lx for procedure "%s" in DLL "%s" is invalid

%s loaded DLL "%wZ" (new reference count: 0x%lx)

LdrpFixupIATForRelocatedImport

DLL "%wZ" does not contain an export table

DLL "%wZ" is bound via forwarders to "%s"

Loading "%ws" from the bound import table of DLL "%wZ" failed with status 0xlx

DLL "%wZ" is bound to "%s"

LdrpHandleOneNewFormatImportDescriptor

Snapping the imports from DLL "%wZ" to DLL "%wZ" failed with status 0xlx

Loading "%ws" from the import table of DLL "%wZ" failed with status 0xlx

DLL "%wZ" imports "%s"

LdrpHandleOneOldFormatImportDescriptor

LdrpProcessStaticImports

d:\win7sp1_gdr\minkernel\ntdll\ldrtls.c

TlsVector %p Index %d : %d bytes copied from %p to %p

Execute '.cxr %p' to dump context

d:\win7sp1_gdr\minkernel\ntdll\ldrutil.c

Function %s raised exception 0xlx

RTL: Acquire Shared Sem Timeout %d(%I64u secs)

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)

NTDLL: Calling thread (%X) not owner of CritSect: %p Owner ThreadId: %X

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu

RTL: Enter Critical Section Timeout (%I64u secs) %d

AVRF: Found duplicate for (%ws: %s) in %ws

AVRF: chain: thunk: %s == %s ?

AVRF: Chaining (%ws: %s) to %ws

AVRF: Checking %ws for duplicate (%ws: %s)

AVRF: Snapped (%ws: %s) with (%ws: %p).

AVRF: internal error: New thunk for %s is null.

AVRF: Unable to unprotect IAT to modify thunks (status X).

AVRF: (%ws) %s export found.

AVRF: warning: did not find `%s' export in %ws .

AVRF: failed to enable handle checking (status %X)

AVRF: Failed to find `VerifierStopMessage()' export in verifier.dll!

AVRF: Failed to find verifier.dll among loaded providers!

VERIFIER STOP %p: pid 0x%X: %s

%p : %s

AVRF: provider %ws passed an invalid descriptor @ %p

AVRF: %ws: failed to load provider `%ws' (status X) from %ws

AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports

AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled

rUS.Length <= This->PrivatePreallocatedString->MaximumLength

d:\win7sp1_gdr\minkernel\ntdll\sxsisol.cpp

!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)

[%x.%x] SXS: %s - Relative redirection plus env var expansion.

SXS: %s() passed the empty activation context data

SXS: %s() called with invalid cookie tid 0xI64x - should be lx

SXS: %s() called with invalid cookie type 0xI64x

SXS: %s() called with invalid flags 0xlx

SXS: %s() Active frame is not the frame being deactivated %p != %p

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0xlx.

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0xlx.

SXS: String hash table entry at %p has invalid key offset (= %ld)

RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.

SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)

SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)

SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)

SXS: %s() found assembly information section with user data extending beyond section data

SXS: %s() found assembly information section with user data too small

SXS: %s() found assembly information section with user data overlapping section header

SXS: %s() found assembly information section with search structure overlapping section header

SXS: %s() found assembly information section with element list overlapping section header

SXS: %s() passed string section at %p with too small of a header

SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!

SXS: %s() found assembly information section with wrong magic value

SXS: %s() passed string section at %p only %lu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!

SXS: %s() received invalid non-zero sub-instance index %lu

SXS: %s() found activation context data at %p with assembly roster that has no root

SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context

SXS: %s() received invalid file index (%d) in Assembly (%d)

SXS: %s() found activation context data at %p with wrong format

SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu

SXS: %s() - caller asked to use active activation context but passed %p

SXS: %s() - Caller passed invalid hmodule (%p)

SXS: %s() - Caller asked to use activation context from hmodule but passed NULL

SXS: %s() - Caller passed invalid address, not in any .dll (%p)

SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL

SXS: %s() - caller supplied no buffer to populate and no place to return required byte count

SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer

SXS: %s() - caller asked for unknown information class %lu

SXS: %s() - Caller passed meaningless flags/class combination (0xlx/0xlx)

SXS: %s() - Caller passed invalid flags (0xlx)

SXS: Unabel to query location from storage root subkey %wZ; Status = 0xlx

SXS: Unable to open storage root subkey %wZ; Status = 0xlx

SXS: Unable to open registry key %wZ Status = 0xlx

SXS: Attempt to get storage location from subkey %wZ failed; Status = 0xlx

SXS: Unable to enumerate assembly storage subkey #%lu Status = 0xlx

SXS: %s() bad parameters:

SXS: %s() bad parameters

SXS: StorageLocation->Length: 0x%x

SXS: Unable to open assembly directory under storage root "%S"; Status = 0xlx

SXS: Attempt to translate DOS path name "%S" to NT format failed

SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.

SXS: %s() passed the empty activation context

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx

'LDR: %s(), invalid image format of MUI file

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x)

*** Assertion failed: %s%s

*** Source File: %s, line %ld

RtlQueryRegistryValues: Miscomputed buffer size at line %d

VirtualProtect Failed 0xx %x

VirtualQuery Failed 0xx %x

, passed to %s

Invalid heap signature for heap at %x

Unable to release memory at %p for %p bytes - Status == %x

Entry User Heap Size Req.Size Flags

:%u.%u.%u.%u

::ffff:0:%u.%u.%u.%u

::%hs%u.%u.%u.%u

%u.%u.%u.%u

X-X-X-X-X-X

Leaked Block 0x%p size 0x%p (stack %p depth %u)

*** Restarting wait on critsec or resource at %p (in %ws:%s)

*** enter .cxr %p for the context

*** enter .exr %p for the exception record

The instruction at %p tried to %s

*** An Access Violation occurred in %ws:%s

This means that the I/O device reported an I/O error. Check your hardware.

This failed because of error %x.

*** Inpage error in %ws:%s

The critical section is owned by thread %x.

*** Critical Section Timeout (%p) in %ws:%s

The resource is owned shared by %d threads

The resource is owned exclusively by thread %x

*** Resource timeout (%p) in %ws:%s

The stack trace should show the guilty function (the function directly above __report_gsfailure).

*** A stack buffer overrun occurred in %ws:%s

*** Unhandled exception 0xlx, hit in %ws:%s

Trace database: failing attempt to save biiiiig trace (size %u)

*** RtlpMuiRegLoadLicInformation failed with status %x

.hotp1

None%s

I64X: VA32 X -> X %s

I64X: PC32 X -> X (target %p) %s

I64X: VA64 6I64X -> 6I64X %s

Validation failure. Source = %p, Target = %p, Size = %x

Validation failed for global range %u of %u

I64X: jmp X (PC X) {

Unsupported template type

Inserting %u hooks into target image

Header too large (%u>%u) for copy/normalize/validate

Error code: %d - %s

heap_failure_cross_heap_operation

This is located in the %s field of the heap header.

Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)

Heap block at %p has incorrect segment offset (%x)

Heap entry %p has incorrect PreviousSize field (x instead of x)

Invalid CommitSize parameter - %x

Invalid ReserveSize parameter - %x

Invalid address specified to %s( %p, %p )

Tag x (%ws) size incorrect (%x != %x) %p

Pseudo Tag x size incorrect (%x != %x) %p

dedicated (x) free list element %p is marked busy

Invalid allocation size - %x (exceeded %x)

Just allocated block at %p for 0x%x bytes with tag %ws

Just allocated block at %p for %x bytes

Just reallocated block at %p to 0x%x bytes with tag %ws

Just reallocated block at %p to %x bytes

About to rellocate block at %p to 0x%x bytes with tag %ws

About to reallocate block at %p to %x bytes

/$&@7$&@9$&@:$&@

?SsHd

>SsHd

d:\win7sp1_gdr\minkernel\threadpool\ntdll\timer.c

d:\win7sp1_gdr\minkernel\threadpool\ntdll\pool.c

d:\win7sp1_gdr\minkernel\threadpool\ntdll\work.c

SSSSh(

t%f;U

!wu%d

AlpcReturn = %p, AlpcPort = %p, Callback = %p, Context = %p, CallbackEnviron = %p

TppIopExecuteCallback

Pool = %p, MinThreads = %d

Pool = %p, MaxThreads = %d

File = %x, Direct = %p, Pool = %p

AlpcPort = %x, Direct = %p, Pool = %p

TimerQueueQueue = %p, Timer = %p, DueTime = 0x%I64x, Window = %d

Setting KTimer to 0x6I64x (%s)

KTimer already set for due time = 0x6x

TimerQueue = %p, DoAbsoluteQueue = %s

CapturedPeriod = %d

CapturedWindow = %d

Callback = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx

Wait = %p, WaitStatus = 0xx

Executing Wait callback %p(%p, %p, %p, 0xx)

Count = %d

Work = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx, CleanupGroupVFuncs = %p, TaskVFuncs = %p

CleanupGroupMember = %p, CancelledCallbackCount = %d

CleanupGroupMember = %p, CallbackCount = %d

CleanupGroupMember = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx, VFuncs = %p

d:\win7sp1_gdr\minkernel\threadpool\ntdll\worker.c

Tcb = %p, Wait = %p, CapturedHandle = %x

Tcb = %p, Index = %d, Wait = %p, Status = x

CapturedHasDueTime = %s

CapturedHasDueType = %s

CapturedHandle = 0x%x

Waiter wait completed with status x

Waiter is waiting: Tcb->ActiveWaits = %d, TimeoutPtr = %p, Timeout = 6I64x

*** RESCACHE: Segment %u is no longer valid. It may have been unmapped already!!! ***

*** RESCACHE: Segment %u magic field is corrupt!!! ***

ProcessHeapsListIndex

Status: x

Timer = %p, DueTime = 0x6I64x, Period = %d, WindowLength = %d

Invalid parameter passed to C runtime function.

0j.Xj0f

sBj.Xf

s%j.Zf

j%Xf;

Unhandled Exception: .exr %p - .cxr %p - Status 0xx - dt nt!_TP_CALLBACK_INSTANCE %p

Exception: .exr %p - .cxr %p - Status 0xx - dt nt!_TP_CALLBACK_INSTANCE %p

d:\win7sp1_gdr\minkernel\threadpool\ntdll\tp.c

x @ u: %s: %s:

.sb_data

ntdll.pdb

2$2(2,20242^2

2-3

< <<<@<\<`<

>(>0>4><>@>`>|>

1 1@1`1|1

2 2<2@2\2`2|2

5 5$5@5`5

7 7<7@7\7`7|7

8 8<8@8\8`8

; ;$;(;,;8;

283:4(6`6

<*<1<;<{<

8'9.989=9

=3=8=?={=

0 1 171<1

55i5s5|5

6&7-7B7}7

%s\%sd

\\?\UNC

\\?\UNC\

csrsrv.dll

\Registry\Machine\Software\Microsoft\Windows nt\currentversion\appcompatflags\AIT

\Registry\Machine\Software\Policies\Microsoft\Windows\Appcompat\

\Registry\User\.Default

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion

%ws\%u

MSCOREE.DLL

ApiPort

CSRPORT!

\Sessions\%ld\Windows\SharedSection

PCATESTDEPRECATION.DLL

MSVBVM50.DLL

MSVCP50.DLL

D3DRM.DLL

kernelbase.dll

kernel32.dll

SPPsvc.exe

DebugProcessHeapOnly

ADVAPI32.DLL

\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

.Local

"/\[]:|<> =;,?*

Objects=%4u

Objects>%4u

\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

verifier.dll

\KernelObjects\SystemErrorPortReady

\WindowsErrorReportingServicePort

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

\Registry\Machine\Software\Microsoft\SQMClient\Windows\WMR

\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\Escalation

%d.%d.%d.%d

WindowsMessageReportingB1

WinShipAssert

\Software\Microsoft\Windows

svchost.exe

\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledProcesses\

\Registry\Machine\Software\Microsoft\SQMClient\Windows\CommonDatapoints\

\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledSessions\

\Registry\Machine\Software\Microsoft\SQMClient\Windows

\Registry\Machine\Software\Policies\Microsoft\SQMClient\Windows

ASqmManifest_%x

\Registry\Machine\Software\Microsoft\SQMClient\Windows\AdaptiveSqm\Throttling

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

\SmApiPort

\SystemRoot\bootstat.dat

X:%u.%u.%u.%u

%%%u!%s!

WindowsExcludedProcs

KERNEL32.DLL

%SystemRoot%

windows seven

windows vista

\\.\CON

{lx-x-x-xx-xxxxxx}

.Local\

\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots

%s\%s%d%s

%s%s%d

%s%s%d%s

%s\%sd\%s*%s

Global\%s/%sd%s

%sd-%s%s

%s\%sd%s

%s\%sd\%s

%sd-%s

TimeZoneKeyName

.owner

.init

ResCache.hit

ResCache.dir

%s\%s

%s_%d

ResCache.usg

ResCache.mni

ResCache.ccm

%s\%s\%s

Global\%s%s%s

%s\%s*%s

%s\*\%s

%s\%s*

Global\%s/base%s

%sd-%s%d

%sd-%s%d%s

%s\%sd\%s%d%s

6.1.7601.17725 (win7sp1_gdr.111116-1503)

Windows

Operating System

6.1.7601.17725

The operation that was requested is pending completion.

An open/create operation completed while an oplock break is underway.

{Connect Failure on Primary Transport}

An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed.

The computer WAS able to connect on a secondary transport.

Cached page was locked during operation.

A file system or file system filter driver has successfully completed an FsFilter operation.

An operation is blocked waiting for an oplock.

{Local Session Key}

A user session key was requested for a local RPC connection. The session key returned is a constant value and not unique to this connection.

A serial I/O operation was completed by another write to a serial port.

A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)

{Password Too Complex}

The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.

The network transport returned partial data to its client. The remaining data will be sent later.

The network transport returned data to its client that was marked as expedited by the remote system.

The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.

The specified registry key is referenced by a predefined handle.

A yield execution was performed and no thread was available to run.

The operating system will currently accept only 16-bit (R2) pc-cards on this controller.

The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported.

Windows has detected that the system firmware (BIOS) was updated [previous firmware date = %2, current firmware date %3].

The receive operation was successful. Check the ALPC completion list for the received message.

The attempt to commit the Transaction completed, but it is possible that some portion of the transaction tree did not commit successfully due to heuristics. Therefore it is possible that some data modified in the transaction may not have committed, resulting in transactional inconsistency. If possible, check the consistency of the associated data.

The %hs display driver has detected and recovered from a failure. Some graphical operations may have failed. The next time you reboot the machine a dialog will be displayed giving you a chance to upload data about this failure to Microsoft.

A single step or trace operation has just been completed.

Handles to objects have been automatically closed as a result of the requested operation.

During the translation of a global identifier (GUID) to a Windows security ID (SID), no administratively-defined GUID prefix was found. A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.

The media has changed and a verify operation is in progress so no reads or writes may be performed to the device, except those used in the verify operation.

No more entries are available from an enumeration operation.

A long jump has been executed.

The Plug and Play query operation was not successful.

A frame consolidation has been executed.

The application is attempting to run executable code from the module %hs. This may be insecure. An alternative, %hs, is available. Should the application use the secure module %hs?

The application is loading executable code from the module %hs. This is secure, but may be incompatible with previous releases of the operating system. An alternative, %hs, is available. Should the application use the secure module %hs?

The create operation stopped after reaching a symbolic link.

The device has indicated that it's door is open. Further operations require it closed and secured.

Windows discovered a corruption in the file "%hs".

BitLocker encryption keys were ignored because the volume was in a transient state.

A virtual machine is running with its memory allocated across multiple NUMA nodes. This does not indicate a problem unless the performance of your virtual machine is unusually slow. If you are experiencing performance problems, you may need to modify the NUMA configuration. For detailed information, see hXXp://go.microsoft.com/fwlink/?LinkId=92362.

The regeneration operation was not able to copy all data from the active plexes due to bad sectors.

One or more disks were not fully migrated to the target pack. They may or may not require reimport after fixing the hardware problems.

Some BCD entries were not imported correctly from the BCD store.

{Operation Failed}

The requested operation was unsuccessful.

The requested operation is not implemented.

The instruction at 0xlx referenced memory at 0xlx. The memory could not be %s.

The instruction at 0x%p referenced memory at 0x%p. The required data was not placed into memory because of an I/O error status of 0x%x.

An invalid parameter was passed to a service or function.

The specified request is not a valid operation for the target device.

The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Not enough virtual memory or paging file quota is available to complete the specified operation.

An attempt was made to execute an illegal instruction.

An attempt was made to execute an invalid lock sequence.

There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.

Windows cannot continue from this exception.

An invalid or unaligned stack was encountered during an unwind operation.

An invalid unwind target was encountered during an unwind operation.

Device parity error on I/O operation.

Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort

Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port.

Attempt to send a message to a disconnected communication port.

The NtConnectPort request is refused.

The type of port handle is invalid for the operation requested.

Insufficient quota exists to complete the operation

An attempt to set a process's DebugPort or ExceptionPort was made, but a port already exists in the process or an attempt to set a file's CompletionPort made, but a port was already set in the file or an attempt to set an ALPC port's associated completion port was made, but it is already set.

An operation involving EAs failed because the file system does not support EAs.

An EA operation failed because EA set is too large.

An EA operation failed because the name or EA index is invalid.

A non close operation has been requested of a file object with a delete pending.

An attempt was made to set the control attribute on a file. This attribute is not supported in the target file system.

An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.

Indicates the requested operation would disable or delete the last remaining administration account.

When trying to update a password, this return status indicates that the value provided as the current password is not correct.

When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.

When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.

The user account's password has expired.

%hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

An operation failed because the disk was full.

Floating-point denormal operand.

Floating-point invalid operation.

An attempt was made to install more paging files than the system supports.

An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.

The maximum named pipe instance count has been reached.

An instance of a named pipe cannot be found in the listening state.

The named pipe is not in the connected or closing state.

The specified pipe is set to complete operations and there are current I/O operations queued so it cannot be changed to queue operations.

The specified handle is not open to the server end of the named pipe.

The specified named pipe is in the disconnected state.

The specified named pipe is in the closing state.

The specified named pipe is in the connected state.

The specified named pipe is in the listening state.

The specified named pipe is not in message mode.

The specified I/O operation on %hs was not completed before the time-out period expired.

The passed ACL did not contain the minimum required information.

The request is not supported.

Indicates an attempt was made to operate on the security of an object that does not have security associated with it.

Used to indicate that an operation cannot continue without blocking for I/O.

Used to indicate that a read operation was done on an empty pipe.

Indicates the Sam Server was in the wrong state to perform the desired operation.

Indicates the Domain was in the wrong state to perform the desired operation.

This operation is only allowed for the Primary Domain Controller of the domain.

This error indicates that the requested operation cannot be completed due to a catastrophic media failure or on-disk data structure corruption.

An invalid parameter was passed to a service or function as the first argument.

An invalid parameter was passed to a service or function as the second argument.

An invalid parameter was passed to a service or function as the third argument.

An invalid parameter was passed to a service or function as the fourth argument.

An invalid parameter was passed to a service or function as the fifth argument.

An invalid parameter was passed to a service or function as the sixth argument.

An invalid parameter was passed to a service or function as the seventh argument.

An invalid parameter was passed to a service or function as the eighth argument.

An invalid parameter was passed to a service or function as the ninth argument.

An invalid parameter was passed to a service or function as the tenth argument.

An invalid parameter was passed to a service or function as the eleventh argument.

An invalid parameter was passed to a service or function as the twelfth argument.

A malformed function table was encountered during an unwind operation.

The logon session is not in a state that is consistent with the requested operation.

Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.

Indicates that the transaction state of a registry sub-tree is incompatible with the requested operation. For example, a request has been made to start a new transaction with one already in progress, or a request has been made to apply a transaction when one is not currently in progress.

This error should only be returned by the Windows redirector on a remote drive.

Indicates an operation has been attempted on a built-in (special) SAM account which is incompatible with built-in accounts. For example, built-in accounts cannot be deleted.

The operation requested may not be performed on the specified group because it is a built-in special group.

The operation requested may not be performed on the specified user because it is a built-in special user.

An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.

An attempt was made to operate on a thread within a specific process, but the thread specified is not in the process specified.

Your system is low on virtual memory. To ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.

The specified image file did not have the correct format, it appears to be a 16-bit Windows image.

The SAM database on a Windows Server is significantly out of synchronization with the copy on the Domain Controller. A complete synchronization is required.

The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.

The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.

The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.

The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.

The connection handle given to the transport was invalid.

The address handle given to the transport was invalid.

The exception %s (0xlx) occurred in the application at location 0xlx.

An invalid level was passed into the specified system call.

{Incorrect Password to LAN Manager Server}

You specified an incorrect password to a LAN Manager 2.x or MS-NET server.

The pipe operation has failed because the other end of the pipe has been closed.

An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.

An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.

The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.

The length of a secret exceeds the maximum length allowed. The length and number of secrets is limited to satisfy United States State Department export restrictions.

The requested operation cannot be performed in fullscreen mode.

An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.

A Windows Server has an incorrect configuration.

The floppy disk controller reported an error that is not recognized by the floppy disk driver.

While accessing the hard disk, a recalibrate operation failed, even after retries.

While accessing the hard disk, a disk operation failed even after retries.

Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.

Illegal operation attempted on a registry key which has been marked for deletion.

An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.

An attempt was made to create a symbolic link in a registry key that already has subkeys or values.

An attempt was made to create a Stable subkey under a Volatile parent key.

The I/O device reported an I/O error.

Log file space is insufficient to support this operation.

A write operation was attempted to a volume after it was dismounted.

The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

A requested file lock operation cannot be processed due to an invalid byte range.

The subsystem needed to support the image type is not present.

There is no user session key for the specified logon session.

The size of the buffer is invalid for the specified operation.

The transport rejected the network address specified as invalid.

The transport rejected the network address specified due to an invalid use of a wildcard.

The transport address could not be opened because all the available addresses are in use.

The transport address could not be opened because it already exists.

The transport address is now closed.

The transport connection is now disconnected.

The transport connection has been reset.

The transport cannot dynamically acquire any more nodes.

The transport aborted a pending transaction.

The transport timed out a request waiting for a response.

The transport did not receive a release for a pending response.

The transport did not find a transaction matching the specific token.

The transport had previously responded to a transaction request.

The transport does not recognized the transaction request identifier specified.

The transport does not recognize the transaction request type specified.

The transport can only process the specified request on the server side of a session.

The transport can only process the specified request on the client side of a session.

The %hs system process terminated unexpectedly with a status of 0xx (0xx 0xx).

Windows was unable to save all the data for the file %hs. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

The parameter(s) passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.

The user's password must be changed before logging on the first time.

Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing onode is moved or the extent stream is converted to a large stream.

The attempt to find the object found an object matching by ID on the volume but it is out of the scope of the handle used for the operation.

The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

The transport connection attempt was refused by the remote system.

The transport connection was gracefully closed.

The transport endpoint already has an address associated with it.

An address has not yet been associated with the transport endpoint.

An operation was attempted on a nonexistent transport connection.

An invalid operation was attempted on an active transport connection.

The remote network is not reachable by the transport.

The remote system is not reachable by the transport.

The remote system does not support the transport protocol.

No service is operating at the destination port of the transport on the remote system.

The transport connection was aborted by the local system.

The requested operation cannot be performed on a file with a user mapped section open.

Attempting to login during an unauthorized time of day for this account.

The account is not authorized to login from this station.

The dynamic link library %hs is not written correctly. The stack pointer has been left in an inconsistent state. The entrypoint should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.

The %hs service is not written correctly. The stack pointer has been left in an inconsistent state. The callback entrypoint should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.

The contacted server does not support the indicated part of the DFS namespace.

A callback return system service cannot be executed when no callback is active.

The password provided is too short to meet the policy of your user account. Please choose a longer password.

The policy of your user account does not allow you to change passwords too frequently. This is done to prevent users from changing back to a familiar, but potentially discovered, password. If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.

You have attempted to change your password to one that you have used in the past. The policy of your user account does not allow this. Please select a password that you have not previously used.

The specified compression format is unsupported.

An attempt was made to create more links on a file than the file system supports.

{Windows Evaluation Notification}

The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, please upgrade this installation using a licensed distribution of this product.

The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.

Error Status was 0x%x

An operation was attempted to a volume after it was dismounted.

There was no match for the specified key in the index.

The Windows I/O reparse tag passed for the NTFS reparse point is invalid.

The Windows I/O reparse tag does not match the one present in the NTFS reparse point.

The user data passed for the NTFS reparse point is invalid.

There are no EFS keys defined for the user.

The specified file is not in the defined EFS export format.

The guid passed was not recognized as valid by a WMI data provider.

The instance name passed was not recognized as valid by a WMI data provider.

The data item id passed was not recognized as valid by a WMI data provider.

The remote storage service is not operational at this time.

The requested operation could not be performed because the directory service is not the master for that type of operation.

The requested operation did not satisfy one or more constraints associated with the class of the object.

The directory service can perform the requested operation only on a leaf object.

The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.

An error occurred while performing a cross domain move operation.

The requested operation requires a directory service, and none was available.

The requested interface is not supported.

The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.

Mutual Authentication failed. The server's password is out of date at the domain controller.

Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.

The medium changer's transport element contains media, which is causing the operation to fail.

Error Status: 0x%x.

This operation is supported only when you are connected to the server.

The system image %s is not properly signed. The file has been replaced with the signed file. The system has been shut down.

Current device power state cannot support this request.

The WMI operation is not supported by the data block or method.

There is not enough power to complete the requested operation.

Security Account Manager needs to get the boot password.

Security Account Manager needs to get the boot key from floppy disk.

The requested operation can be performed only on a global catalog server.

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.

This operation cannot be performed on the current domain.

The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.

The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Please contact your administrator.

The encryption type requested is not supported by the KDC.

This operation is not supported on a computer running Windows Server 2003 for Small Business Server

The Master File Table on the volume is too fragmented to complete this operation.

Copy protection error - The given sector does not contain a valid key.

Copy protection error - DVD session key not established.

The Kerberos protocol encountered an error while validating the KDC certificate during smartcard Logon. There is more information in the system event log.

The transport determined that the remote system is down.

An unsupported preauthentication mechanism was presented to the Kerberos package.

The encryption algorithm used on the source file needs a bigger key buffer than the one used on the destination file.

An attempt to remove a process's DebugPort was made, but a port was not already associated with the process.

Debugger Inactive: Windows may have been started without kernel debugging enabled.

This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller.

The specified image file did not have the correct format, it appears to be a 32-bit Windows image.

The specified image file did not have the correct format, it appears to be a 64-bit Windows image.

The SID filtering operation removed all SIDs.

The create operation failed because the name contained at least one mount point which resolves to a volume to which the specified device object is not attached.

A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.

The requested key container does not exist on the smart card

The requested certificate does not exist on the smart card

The requested keyset does not exist

The smartcard certificate used for authentication has been revoked. Please contact your system administrator. There may be additional information in the event log.

An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator.

The revocation status of the smartcard certificate used for authentication could not be determined. Please contact your system administrator.

The smartcard certificate used for authentication was not trusted. Please contact your system administrator.

The smartcard certificate used for authentication has expired. Please

The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for user.

An attempt was made by this server to make a Kerberos constrained delegation request for a target outside of the server's realm. This is not supported, and indicates a misconfiguration on this server's allowed to delegate to list. Please contact your administrator.

The revocation status of the domain controller certificate used for smartcard authentication could not be determined. There is additional information in the system event log. Please contact your system administrator.

An untrusted certificate authority was detected while processing the domain controller certificate used for authentication. There is additional information in the system event log. Please contact your system administrator.

The domain controller certificate used for smartcard logon has expired. Please contact your system administrator with the contents of your system event log.

The domain controller certificate used for smartcard logon has been revoked. Please contact your system administrator with the contents of your system event log.

Data present in one of the parameters is more than the function can operate on.

An attempt to delay-load a .dll or get a function address in a delay-loaded .dll failed.

%hs is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator.

The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the machine a dialog will be displayed giving you a chance to report this failure to Microsoft.

An invalid parameter was passed to a C runtime function.

Illegal operation attempted on a registry key which has already been unloaded.

The requested operation could not be completed due to a file system limitation

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

The requested operation is out of order with respect to other operations.

An operation attempted to exceed an implementation-defined limit.

The requested operation requires elevation.

The PKU2U protocol encountered an error while attempting to utilize the associated certificates.

The operation was attempted beyond the valid data length of the file.

The attempted write operation encountered a write already in progress for some portion of the range.

The page fault mappings changed in the middle of processing a fault so the operation must be retried.

Client Side Encryption is not supported by the remote server even though it claims to support it.

The specified thread is already joining a task.

A callback has requested to bypass native code.

Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.

The ALPC port is closed.

The connection port is used in an invalid context.

The ALPC port does not accept new request messages.

The hardware has reported an uncorrectable memory error.

Status 0xx was returned, waiting on handle 0x%x for wait 0x%p, in waiter 0x%p.

After a callback to 0x%p(0x%p), a completion call to SetEvent(0x%p) failed with status 0xx.

After a callback to 0x%p(0x%p), a completion call to ReleaseSemaphore(0x%p, %d) failed with status 0xx.

After a callback to 0x%p(0x%p), a completion call to ReleaseMutex(%p) failed with status 0xx.

After a callback to 0x%p(0x%p), an completion call to FreeLibrary(%p) failed with status 0xx.

A threadpool worker thread is impersonating a client, after executing an APC.

The client certificate account mapping is not unique.

The specified port already has a completion list.

A threadpool worker thread enter a callback at thread base priority 0x%x and exited at priority 0x%x.

An invalid thread, handle %p, is specified for this operation. Possibly, a threadpool worker thread was specified.

The attempted operation required self healing to be enabled.

The Directory Service cannot perform the requested operation because a domain rename operation is in progress.

The requested file operation failed because the storage quota was exceeded.

The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.

The operation could not be completed due to bad clusters on disk.

The operation could not be completed because the volume is dirty. Please run chkdsk and try again.

Access Denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.

Operation did not complete successfully because the file contains a virus.

The operation did not complete successfully because it would cause an oplock to be broken. The caller has requested that existing oplocks not be broken.

The cryptographic provider does not support HMAC.

An operation or data has been rejected while on the network fast path.

Windows was unable to save all the data for the file %hs; the data has been lost.

Windows was unable to parse the requested XML data.

The RPC protocol sequence is not supported.

Not enough resources are available to complete this operation.

The RPC server is too busy to complete this operation.

The remote procedure call failed and did not execute.

The transfer syntax is not supported by the RPC server.

The type UUID is not supported.

The name syntax is not supported.

The operation cannot be performed.

No interfaces have been exported.

There is nothing to unexport.

The requested operation is not supported.

A floating point operation at the RPC server caused a divide by zero.

The requested authentication level is not supported.

The error specified is not a valid Windows RPC error code.

Invalid asynchronous RPC call handle for this operation.

Access to the HTTP proxy is denied.

HTTP proxy server rejected the connection because the cookie authentication failed.

A null context handle is passed as an [in] parameter.

The binding handles passed to a remote procedure call do not match.

A null reference pointer was passed to the stub.

Invalid operation on the encoding/decoding handle.

The RPC pipe object is invalid or corrupted.

An invalid operation was attempted on an RPC pipe object.

Unsupported RPC pipe version.

The RPC pipe object has already been closed.

The RPC call completed before all pipes were processed.

No more data is available from the RPC pipe.

Reissue the given operation as a cached IO operation

A close operation is pending on the Terminal Connection.

The MODEM.INF file was not found.

The modem (%1) was not found in MODEM.INF.

Transport driver error

An attempt has been made to connect to a session whose video mode is not supported by the current client.

DOS graphics mode is not supported.

The requested operation can be performed only on the system console.

Disconnecting the console session is not supported.

Reconnecting a disconnected session to the console is not supported.

The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.

Windows can't connect to your session because a problem occurred in the Windows video subsystem. Try connecting again later, or contact the server administrator for assistance.

The resource loader failed to load MUI file because the file fail to pass validation.

The RC Manifest is corrupted with garbage data or unsupported version or missing required item.

A node is in the process of joining the cluster.

A cluster join operation is not in progress.

Windows was not able to process the application binding information.

The requested lookup key was not found in any active activation context.

Lack of system resources has required isolated activation to be disabled for the current thread of execution.

The activation context being deactivated is not active for the current thread of execution.

The activation context activation stack for the running thread of execution is corrupt.

A generic command executable returned a result that indicates failure.

The transaction handle associated with this operation is not valid.

The requested operation was made in the context of a transaction that is no longer active.

The Transaction Manager was unable to be successfully initialized. Transacted operations are not supported.

Transaction support within the specified resource manager is not started or was shut down due to an error.

The resource manager has attempted to prepare a transaction that it has not successfully joined.

The remote server or share does not support transacted file operations.

The Transaction object already has a superior enlistment, and the caller attempted an operation that would have created a new superior. Only a single superior enlistment is allowed.

The requested operation is not valid on the Transaction object in its current state.

It is too late to perform the requested operation, since the Transaction has already been aborted.

It is too late to perform the requested operation, since the Transaction has already been committed.

The buffer passed in to NtPushTransaction or NtPullTransaction is not in a valid format.

The operation cannot be performed because another transaction is depending on the fact that this property will not change.

The operation would involve a single file with two transactional resource managers and is therefore not allowed.

The $Txf directory must be empty for this operation to succeed.

The operation would leave a transactional resource manager in an inconsistent state and is therefore not allowed.

The operation could not be completed because the transaction manager does not have a log.

A rollback could not be scheduled because a previously scheduled rollback has already executed or been queued for execution.

The encryption operation could not be completed because a transaction is active.

Memory mapping (creating a mapped section) a remote file under a transaction is not supported.

This file is open for modification in an unresolved transaction and may be opened for execute only by a transacted reader.

The target volume is not a snapshot volume. This operation is only valid on a volume mounted as a snapshot.

The savepoint operation failed because files are open on the transaction. This is not permitted.

The sparse operation could not be completed because a transaction is active on the file.

The call to create a TransactionManager object failed because the Tm Identity stored in the logfile does not match the Tm Identity that was passed in as an argument.

The compression operation could not be completed because a transaction is active on the file.

The specified operation could not be performed on this Superior enlistment, because the enlistment was not created with the corresponding completion response in the NotificationMask.

The specified operation could not be performed, because the record that would be logged was too long. This can occur because of two conditions: either there are too many Enlistments on this Transaction, or the combined RecoveryInformation being logged on behalf of those Enlistments is too long.

The link tracking operation could not be completed because a transaction is active.

This operation cannot be performed in a transaction.

This snapshot operation cannot continue because a transactional resource manager cannot be frozen in its current state. Please try again.

The specified operation could not be performed because the resource manager is not enlisted in the transaction.

A policy on the log in question prevented the operation from completing.

Log is multiplexed, no direct writes to the physical log is allowed.

The operation failed because the log is a dedicated log.

The operation requires an archive context.

The operation requires a non-ephemeral log, but the log is ephemeral.

A handler was not defined by the filter for this operation.

Asynchronous requests are not valid for this operation.

Internal error code used by the filter manager to determine if a fastio operation should be forced down the IRP path. Mini-filters should never return this value.

Posting this operation to a worker thread for further processing is not safe at this time because it could lead to a system deadlock.

The filter must cleanup any operation specific context at this time because it is being removed from the system before the operation is completed by the lower drivers.

The Filter Manager had an internal error from which it cannot recover, therefore the operation has been failed. This is usually the result of a filter returning an invalid value from a pre-operation callback.

A duplicate handler definition has been provided for an operation.

Format of the obtained monitor descriptor is not supported by this release.

The driver needs more DMA buffer space in order to complete the requested operation.

Not enough video memory available to complete the operation.

The allocation can't be used from it's current segment location for the specified operation.

Specified VidPN topology is valid but is not supported by this model of the display adapter.

Specified VidPN topology is valid but is not supported by the display adapter at this time, due to current allocation of its resources.

Specified VidPN modality is not supported (e.g. at least two of the pinned modes are not cofunctional).

Miniport has no recommendation for augmentation of the specified VidPN's topology.

Miniport does not have any recommendation regarding the request to provide a functional VidPN given the current display adapter configuration.

System failed to determine a mode that is supported by both the display adapter and the monitor connected to it.

Specified VidPN present path importance ordinal is invalid.

Specified content geometry transformation is not supported on the respective VidPN present path.

Specified gamma ramp is not supported on the respective VidPN present path.

Multi-sampling is not supported on the respective VidPN present path.

All available importance ordinals are already used in specified topology.

Maximum supported number of present paths has been reached.

Miniport requested that augmentation be cancelled for the specified source of the specified VidPN's topology.

Specified display adapter child device does not support descriptor exposure.

An operation is being attempted that requires the display adapter to be in a quiescent state.

The driver does not support OPM.

The driver does not support COPP.

The driver does not support UAB.

The GDI display device passed to this function does not have any active protected outputs.

An internal error caused an operation to fail.

The function failed because the caller passed in an invalid OPM user mode handle.

A certificate could not be returned because the certificate buffer passed to the function was too small.

The HDCP System Renewability Message passed to this function did not comply with section 5 of the HDCP 1.1 specification.

The protected output cannot enable the High-bandwidth Digital Content Protection (HDCP) System because it does not support HDCP.

The protected output cannot enable Analogue Copy Protection (ACP) because it does not support ACP.

The protected output cannot enable the Content Generation Management System Analogue (CGMS-A) protection technology because it does not support CGMS-A.

The DxgkDdiOPMGetInformation function cannot return the version of the SRM being used because the application never successfully passed an SRM to the protected output.

The operating system asynchronously destroyed this OPM protected output because the operating system's state changed. This error typically occurs because the monitor PDO associated with this protected output was removed, the monitor PDO associated with this protected output was stopped, or the protected output's session became a non-console session.

The DxgkDdiOPMGetInformation and DxgkDdiOPMGetCOPPCompatibleInformation functions return this error code if the passed in sequence number is not the expected sequence number or the passed in OMAC value is invalid.

The DxgkDdiOPMGetCOPPCompatibleInformation and DxgkDdiOPMConfigureProtectedOutput functions return this error if the display driver does not support the DXGKMDT_OPM_GET_ACP_AND_CGMSA_SIGNALING and DXGKMDT_OPM_SET_ACP_AND_CGMSA_SIGNALING GUIDs.

The DxgkDdiOPMConfigureProtectedOutput function returns this error code if the passed in sequence number is not the expected sequence number or the passed in OMAC value is invalid.

The monitor does not support the specified VCP code.

The function failed because a monitor returned an invalid Timing Status byte when the operating system used the DDC/CI Get Timing Report & Timing Message command to get a timing report from a monitor.

A monitor returned a DDC/CI capabilities string which did not comply with the ACCESS.bus 3.0, DDC/CI 1.1, or MCCS 2 Revision 1 specification.

An operation failed because a DDC/CI message had an invalid value in its command field.

This function failed because an invalid monitor handle was passed to it.

The operating system asynchronously destroyed the monitor which corresponds to this handle because the operating system's state changed. This error typically occurs because the monitor PDO associated with this handle was removed, the monitor PDO associated with this handle was stopped, or a display mode change occurred. A display mode change occurs when windows sends a WM_DISPLAYCHANGE windows message to applications.

The function failed because the specified GDI display device was not attached to the Windows desktop.

This function does not support GDI mirroring display devices because GDI mirroring display devices do not have any physical monitors associated with them.

The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is NULL, it points to an invalid address, it points to a kernel mode address or it is not correctly aligned.

This function failed because the GDI device passed to it did not have any monitors associated with it.

An array passed to the function cannot hold all of the data that the function must copy into the array.

The volume is not encrypted, no key is available.

The volume cannot be encrypted because the file system is not supported.

This operation cannot be performed while a file system is mounted on the volume.

BitLocker Drive Encryption is not included with this version of Windows.

A read operation failed while converting the volume.

A write operation failed while converting the volume.

The encryption algorithm does not support the sector size of that volume.

The BitLocker startup key or recovery password could not be read from external media.

The BitLocker startup key or recovery password file is corrupt or invalid.

The BitLocker encryption key could not be obtained from the startup key or recovery password.

The authorization data for the Storage Root Key (SRK) of the Trusted Platform Module (TPM) is not zero.

The system boot information changed or the Trusted Platform Module (TPM) locked out access to BitLocker encryption keys until the computer is restarted.

The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM).

The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM) and PIN.

The Boot Configuration Data (BCD) settings are not supported or have changed since BitLocker was enabled.

The BitLocker encryption key could not be obtained.

The auto-unlock master key was not available from the operating system volume. Retry the operation using the BitLocker WMI interface.

This feature of BitLocker Drive Encryption is not included with this version of Windows.

The management information stored on the drive contained an unknown type. If you are using an old version of Windows, try accessing the drive from the latest version.

The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM) and enhanced PIN. Try using a PIN containing only numerals.

The operation is not supported by the specified layer.

The displayData.name field cannot be null.

A filter condition contains a match type that is not compatible with the operands.

A filter cannot contain multiple conditions operating on a single field.

A policy cannot contain the same keying module more than once.

The TCP/IP stack is not ready.

Network interface is not ready to complete this operation.

The length of the buffer submitted for this operation is not valid.

The data used for this operation is not valid.

The length of buffer submitted for this operation is too small.

Network interface does not support this OID (Object Identifier)

Network interface does not support this media type.

The I/O operation failed because network media is disconnected or wireless access point is out of range.

The offload operation on the network interface has been paused.

The revision number specified in the structure is not supported.

The specified port does not exist on this network interface.

The current state of the specified port on this network interface does not support the requested operation.

The miniport adapter is in lower power state.

Netword interface does not support this request.

The TCP connection is not offloadable because of a local policy setting.

The TCP connection is not offloadable by the Chimney offload target.

The wireless local area network interface is in auto configuration mode and doesn't support the requested parameter change operation.

The wireless local area network interface is busy and can not perform the requested operation.

The wireless local area network interface is power down and doesn't support the requested operation.

The hypervisor does not support the operation because the specified hypercall code is not supported.

The hypervisor does not support the operation because the encoding for the hypercall input register is not supported.

The hypervisor could not perform the operation beacuse a parameter has an invalid alignment.

The hypervisor could not perform the operation beacuse an invalid parameter was specified.

The hypervisor could not perform the operation because the partition is entering or in an invalid state.

The operation is not allowed in the current state.

There is not enough memory in the hypervisor pool to complete the operation.

The hypervisor could not perform the operation because the specified VP index is invalid.

The hypervisor could not perform the operation because the specified port identifier is invalid.

The hypervisor could not perform the operation because the specified connection identifier is invalid.

The hypervisor could not complete the operation because a required feature of the synthetic interrupt controller (SynIC) was disabled.

The hypervisor could not perform the operation because the object or value was either already in use or being used for a purpose that would not permit completing the operation.

The physical connection being used for debuggging has not recorded any receive activity since the last operation.

There are not enough resources to complete the operation.

IPsec DoS Protection received an IPsec negotiation packet for a keying module which is not allowed by policy.

Cannot unlock the page array for the guest operating system memory address because it does not match a previous lock request. Restarting the virtual machine may fix the problem. If the problem persists, try restarting the physical computer.

The non-uniform memory access (NUMA) node settings do not match the system NUMA topology. In order to start the virtual machine, you will need to modify the NUMA configuration. For detailed information, see hXXp://go.microsoft.com/fwlink/?LinkId=92362.

The lock or unlock request uses an invalid guest operating system memory address. Restarting the virtual machine may fix the problem. If the problem persists, try restarting the physical computer.

The specified disk is an invalid disk. Operation cannot complete on an invalid disk.

The disk layout contains more than the maximum number of supported partitions.

The specified disk is missing. The operation cannot complete on a missing disk.

There is not enough usable space for this operation.

Dynamic disks are not supported on this system.

The system does not support fault tolerant volumes.

The specified number of plexes is invalid.

The specified pack is the invalid pack. The operation cannot complete with the invalid pack.

The specified disk has an unsupported partition style. Only MBR and GPT partition styles are supported.

The specified plex is already in-sync with the other active plexes. It does not need to be regenerated.

The specified plex index is greater or equal than the number of plexes in the volume.

The operation is only supported on RAID-5 plexes.

The operation is only supported on simple plexes.

The operation is only supported on mirrored volumes.

The operation is not supported on mirrored volumes.

The operation is only supported on simple and spanned plexes.

The system does not support mirrored volumes.

The system does not support RAID-5 volumes.

The version does not support this version of the file format.

The system does not support this version of the virtual hard disk.This version of the sparse header is not supported.

The system does not support this version of the virtual hard disk. The block size is invalid.

A virtual disk support provider for the specified file was not found.

The requested operation could not be completed due to a virtual disk system limitation. Virtual disks are only supported on NTFS volumes and must be both uncompressed and unencrypted.

The requested operation cannot be performed on a virtual disk of this type.

The requested operation cannot be performed on the virtual disk in its current state.

The sector size of the physical disk on which the virtual disk resides is not supported.

The Derived Indexed Store is not present (or currently loaded) on this system.

%original file name%.exe_3700_rwx_01970000_0003E000:

`.rsrc

L$(h%f

SSh0j

hu2.iu

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

%original file name%.exe_3700_rwx_019D0000_0001E000:

IPHLPAPI.DLL

CreatePersistentTcpPortReservation

CreatePersistentUdpPortReservation

DeletePersistentTcpPortReservation

DeletePersistentUdpPortReservation

GetExtendedTcpTable

GetExtendedUdpTable

GetOwnerModuleFromTcp6Entry

GetOwnerModuleFromTcpEntry

GetOwnerModuleFromUdp6Entry

GetOwnerModuleFromUdpEntry

GetPerTcp6ConnectionEStats

GetPerTcp6ConnectionStats

GetPerTcpConnectionEStats

GetPerTcpConnectionStats

GetTcp6Table

GetTcp6Table2

GetTcpStatistics

GetTcpStatisticsEx

GetTcpTable

GetTcpTable2

GetTeredoPort

GetUdp6Table

GetUdpStatistics

GetUdpStatisticsEx

GetUdpTable

InternalGetTcp6Table2

InternalGetTcp6TableWithOwnerModule

InternalGetTcp6TableWithOwnerPid

InternalGetTcpTable

InternalGetTcpTable2

InternalGetTcpTableEx

InternalGetTcpTableWithOwnerModule

InternalGetTcpTableWithOwnerPid

InternalGetUdp6TableWithOwnerModule

InternalGetUdp6TableWithOwnerPid

InternalGetUdpTable

InternalGetUdpTableEx

InternalGetUdpTableWithOwnerModule

InternalGetUdpTableWithOwnerPid

InternalSetTcpEntry

InternalSetTeredoPort

LookupPersistentTcpPortReservation

LookupPersistentUdpPortReservation

NotifyTeredoPortChange

SetPerTcp6ConnectionEStats

SetPerTcp6ConnectionStats

SetPerTcpConnectionEStats

SetPerTcpConnectionStats

SetTcpEntry

{lX-X-X-XX-XXXXXX}

SYSTEM\CurrentControlSet\Services\Tcpip\Linkage

SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Ht.HHt

%SSSSj

dhcpcsvc.DLL

dhcpcsvc6.DLL

DNSAPI.dll

WS2_32.dll

API-MS-Win-Core-DelayLoad-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-String-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-Interlocked-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

RPCRT4.dll

WINNSI.DLL

NSI.dll

ntdll.dll

msvcrt.dll

_amsg_exit

GetProcessHeap

RegOpenKeyExA

RegCloseKey

iphlpapi.pdb

2#3)3/343<3

7 7$7(7,707

:&;5;&<8<

4&4-44484C4N4S4c4h4x4}4

0 0(0,00080<0@0

\DEVICE\TCPIP_

%s_%u

\DEVICE\NETBT_TCPIP_

iftype%u

\advapi32.dll

6.1.7601.17514 (win7sp1_rtm.101119-1850)

iphlpapi.dll

Windows

Operating System

6.1.7601.17514

%original file name%.exe_3700_rwx_01AF0000_000D5000:

CM_Open_DevNode_Key

CryptCATCatalogInfoFromContext

WSDCreateUdpTransport

WSDCreateUdpMessageParameters

WSDCreateUdpAddress

WSDCreateHttpTransport

WSDCreateHttpMessageParameters

WSDCreateHttpAddress

WSASendMsg

WlanGetProfileKeyInfo

WlanHostedNetworkSetSecondaryKey

WlanHostedNetworkQuerySecondaryKey

_WinStationNotifyDisconnectPipe

WinStationUserLoginAccessCheck

WinStationSetAutologonPassword

WinStationReportUIResult

WinStationIsHelpAssistantSession

WinStationGetUserCertificates

WinStationFreeUserCertificates

WinStationEnumerate_IndexedW

WinStationEnumerate_IndexedA

midiOutShortMsg

u_GetFileExtensionFromUrl

UrlZonesDetach

UpdateUrlCacheContentPath

UnlockUrlCacheEntryStream

UnlockUrlCacheEntryFileW

UnlockUrlCacheEntryFileA

ShowX509EncodedCertificate

ShowClientAuthCerts

ShowCertificate

SetUrlCacheHeaderData

SetUrlCacheGroupAttributeW

SetUrlCacheGroupAttributeA

SetUrlCacheEntryInfoW

SetUrlCacheEntryInfoA

SetUrlCacheEntryGroupW

SetUrlCacheEntryGroupA

SetUrlCacheConfigInfoW

SetUrlCacheConfigInfoA

RunOnceUrlCache

RetrieveUrlCacheEntryStreamW

RetrieveUrlCacheEntryStreamA

RetrieveUrlCacheEntryFileW

RetrieveUrlCacheEntryFileA

RegisterUrlCacheNotification

ReadUrlCacheEntryStream

ParseX509EncodedCertificateForListBoxEntry

LoadUrlCacheContent

IsUrlCacheEntryExpiredW

IsUrlCacheEntryExpiredA

IsHostInProxyBypassList

InternetShowSecurityInfoByURLW

InternetShowSecurityInfoByURLA

InternetOpenUrlW

InternetOpenUrlA

InternetGetSecurityInfoByURLW

InternetGetSecurityInfoByURLA

InternetGetCertByURLA

InternetGetCertByURL

InternetCreateUrlW

InternetCreateUrlA

InternetCrackUrlW

InternetCrackUrlA

InternetCombineUrlW

InternetCombineUrlA

InternetCanonicalizeUrlW

InternetCanonicalizeUrlA

IncrementUrlCacheHeaderData

HttpSendRequestW

HttpSendRequestExW

HttpSendRequestExA

HttpSendRequestA

HttpQueryInfoW

HttpQueryInfoA

HttpOpenRequestW

HttpOpenRequestA

HttpEndRequestW

HttpEndRequestA

HttpAddRequestHeadersW

HttpAddRequestHeadersA

GetUrlCacheHeaderData

GetUrlCacheGroupAttributeW

GetUrlCacheGroupAttributeA

GetUrlCacheEntryInfoW

GetUrlCacheEntryInfoExW

GetUrlCacheEntryInfoExA

GetUrlCacheEntryInfoA

GetUrlCacheConfigInfoW

GetUrlCacheConfigInfoA

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryA

FtpRenameFileW

FtpRenameFileA

FtpRemoveDirectoryW

FtpRemoveDirectoryA

FtpPutFileW

FtpPutFileEx

FtpPutFileA

FtpOpenFileW

FtpOpenFileA

FtpGetFileW

FtpGetFileSize

FtpGetFileEx

FtpGetFileA

FtpGetCurrentDirectoryW

FtpGetCurrentDirectoryA

FtpFindFirstFileW

FtpFindFirstFileA

FtpDeleteFileW

FtpDeleteFileA

FtpCreateDirectoryW

FtpCreateDirectoryA

FtpCommandW

FtpCommandA

FreeUrlCacheSpaceW

FreeUrlCacheSpaceA

FindNextUrlCacheGroup

FindNextUrlCacheEntryW

FindNextUrlCacheEntryExW

FindNextUrlCacheEntryExA

FindNextUrlCacheEntryA

FindNextUrlCacheContainerW

FindNextUrlCacheContainerA

FindFirstUrlCacheGroup

FindFirstUrlCacheEntryW

FindFirstUrlCacheEntryExW

FindFirstUrlCacheEntryExA

FindFirstUrlCacheEntryA

FindFirstUrlCacheContainerW

FindFirstUrlCacheContainerA

FindCloseUrlCache

DetectAutoProxyUrl

DeleteUrlCacheGroup

DeleteUrlCacheEntryW

DeleteUrlCacheEntryA

DeleteUrlCacheContainerW

DeleteUrlCacheContainerA

CreateUrlCacheGroup

CreateUrlCacheEntryW

CreateUrlCacheEntryA

CreateUrlCacheContainerW

CreateUrlCacheContainerA

CommitUrlCacheEntryW

CommitUrlCacheEntryA

uWinHttpWriteData

WinHttpTimeToSystemTime

WinHttpTimeFromSystemTime

WinHttpSetTimeouts

WinHttpSetStatusCallback

WinHttpSetOption

WinHttpSetCredentials

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpQueryOption

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpQueryAuthSchemes

WinHttpOpenRequest

WinHttpOpen

WinHttpGetProxyForUrl

WinHttpGetIEProxyConfigForCurrentUser

WinHttpGetDefaultProxyConfiguration

WinHttpCreateUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpCloseHandle

WinHttpAddRequestHeaders

uWerpSubmitReportFromStore

WerpSetReportFlags

WerpSetIntegratorReportId

WerpGetReportFlags

WerpGetIntegratorReportId

WerpCreateIntegratorReportId

WerpAddRegisteredDataToReport

WerReportSubmit

WerReportSetUIOption

WerReportSetParameter

WerReportCreate

WerReportCloseHandle

WerReportAddFile

WerReportAddDump

WsShutdownSessionChannel

WsRegisterOperationForCancel

WsGetOperationContextProperty

WsEncodeUrl

WsDecodeUrl

WsCombineUrl

WsAsyncExecute

ToplScheduleImport

ToplScheduleExportReadonly

LogonUserExExW

ChangeAccountPasswordW

ChangeAccountPasswordA

NetServerTransportEnum

NetServerTransportDel

NetServerTransportAddEx

SqmIsWindowsOptedIn

SLSetCurrentProductKey

SLGetPKeyInformation

SLGetPKeyId

SLGetInstalledProductKeyIds

SpInfGetLineTextWithKey

SLGetPackageProductKey

uGetScheduledDiagnosticsExecutionLevel

SceSetupUpdateSecurityKey

uSamiSyncDSRMPasswordFromAccount

SamiOemChangePasswordUser2WithTransport

SamiChangePasswordUser3

SamiChangePasswordUser

SamiChangeKeys

SamValidatePassword

SamChangePasswordUser2

SamChangePasswordUser

uNetValidatePasswordPolicyFree

NetValidatePasswordPolicy

NetUserChangePassword

RmJoinSession

uWinHttpCallbackAvrf

I_RpcBindingInqTransportType

PowerOpenUserPowerKey

PowerOpenSystemPowerKey

PowerInternalImportPowerScheme

uCertAutoRemove

CertAutoEnrollment

PeerGraphImportDatabase

PeerGraphExportDatabase

uOneXUpdatePortProfile

OneXDestroySupplicantPort

OneXCreateSupplicantPort

KccExecuteTask

uUpdateBackupExclusionKey

NetpIsShareNameValid

NetRemoteComputerSupports

NetpGetJoinInformation

NetpDomainJoinLicensingCheck

NetpDoDomainJoin

NetpCompleteOfflineDomainJoin

NetRequestOfflineDomainJoin

NdfExecuteDiagnosis

NdfCreateWebIncidentEx

NdfCreateWebIncident

BCryptImportKeyPair

BCryptImportKey

BCryptGenerateSymmetricKey

BCryptGenerateKeyPair

BCryptFinalizeKeyPair

BCryptExportKey

BCryptDuplicateKey

BCryptDestroyKey

BCryptDeriveKeyPBKDF2

BCryptDeriveKeyCapi

BCryptDeriveKey

uWasDTCInstalledBySQL

uSpcGetCertFromKey

GetCryptProvFromCertEx

GetCryptProvFromCert

FreeCryptProvFromCertEx

FreeCryptProvFromCert

uShowModelessHTMLDialog

MprConfigTransportSetInfo

MprConfigTransportGetInfo

MprConfigTransportGetHandle

MprConfigTransportDelete

MprConfigTransportCreate

MprConfigInterfaceTransportRemove

MprConfigInterfaceTransportGetInfo

MprConfigInterfaceTransportGetHandle

MprConfigInterfaceTransportEnum

MprConfigInterfaceTransportAdd

MprAdminTransportSetInfo

MprAdminTransportGetInfo

MprAdminTransportCreate

MprAdminPortGetInfo

MprAdminPortEnum

MprAdminInterfaceTransportRemove

MprAdminInterfaceTransportAdd

WNetPasswordChangeNotify

uMFCreateSourceReaderFromURL

MFCreateSinkWriterFromURL

MFGetSupportedSchemes

MFGetSupportedMimeTypes

MFCreateASFMultiplexer

MFCreateASFIndexerByteStream

MFCreateASFIndexer

LsaINotifyPasswordChanged

LsaICallPackagePassthrough

PRShowSaveFromMsginaW

PRShowRestoreFromMsginaW

KRShowKeyMgr

MimeOleParseMhtmlUrl

ImmGetVirtualKey

ImageRemoveCertificate

ImageGetCertificateHeader

ImageGetCertificateData

ImageEnumerateCertificates

ImageAddCertificate

FindExecutableImage

AddUrlToFavorites

uTestURL

ShowInetcpl

NewUrl

ImportZones

ImportSearchProviders

ImportRatings

ImportRSSFeeds

ImportQuickLinks

ImportPrograms

ImportHomePage

ImportFavoritesCmd

ImportFavorites

ImportConnectSet

ImportADMFile

GetURLLinkType

GetFavoriteUrl

ExportRSSFeeds

ExportQuickLinks

ExportFavorites

CheckForDupKeys

uIcfGetOperationalMode

GdiplusShutdown

GdipSetImageAttributesColorKeys

SetViewportOrgEx

SetViewportExtEx

FaxSetPortW

FaxSetPortExW

FaxSetPortExA

FaxSetPortA

FaxOpenPort

FaxGetReportedServerAPIVersion

FaxGetPortW

FaxGetPortExW

FaxGetPortExA

FaxGetPortA

FaxEnumPortsW

FaxEnumPortsExW

FaxEnumPortsExA

FaxEnumPortsA

FwpmFilterGetByKey0

FwpmFilterDeleteByKey0

FmsGetGdiLogicalFont

FmsGetGDILogFont

FmsGetFontProperty

FmsGetFontAutoActivationMode

FmsGetFilteredPropertyList

FmsGetFilteredFontList

FmsGetDirectWriteLogFont

FmsGetCurrentFilter

FmsGetBestMatchInFamily

FWResetIndicatedPortInUse

FWIndicatePortInUse

JetMakeKey

DwmGetTransportAttributes

upServerImportDriverPackage

DriverStoreImportW

uDrtDeleteIpv6UdpTransport

DrtCreateIpv6UdpTransport

DrtDeleteDerivedKeySecurityProvider

DrtCreateDerivedKeySecurityProvider

DrtCreateDerivedKey

uDrtUpdateKey

DrtUnregisterKey

DrtRegisterKey

NetDfsGetSupportedNamespaceVersion

DevObjOpenDeviceInterfaceRegKey

DevObjOpenDevRegKey

DevObjOpenClassRegKey

DevObjGetDevicePropertyKeys

DevObjGetDeviceInterfacePropertyKeys

DevObjGetClassPropertyKeys

DevObjDeleteDeviceInterfaceRegKey

DevObjDeleteDevRegKey

DevObjCreateDeviceInterfaceRegKey

DevObjCreateDevRegKey

uDavGetUNCFromHTTPPath

DavGetHTTPFromUNCPath

DavCheckAndConvertHttpUrlToUncName

CryptXmlImportPublicKey

CryptUIWizCertRequest

CryptUIDlgViewCertificateW

CryptUIDlgSelectCertificateW

CryptUIDlgSelectCertificateFromStore

CryptUIDlgCertMgr

CertSelectionGetSerializedBlob

CryptSetKeyParam

CryptImportKey

CryptGetUserKey

CryptGetKeyParam

CryptGenKey

CryptExportKey

CryptDestroyKey

CryptDeriveKey

uCryptRetrieveObjectByUrlW

CryptRetrieveObjectByUrlA

uGetFriendlyNameOfCertW

GetFriendlyNameOfCertA

CertViewPropertiesW

CertViewPropertiesA

CertSelectCertificateW

CertSelectCertificateA

CredUIPromptForWindowsCredentialsWorker

CredUIPromptForWindowsCredentialsW

CredUICmdLinePromptForCredentialsW

uTaskDialogIndirect

PstMapCertificate

PstGetUserNameForCertificate

PstGetCertificates

PstAcquirePrivateKey

uCAGetCertTypePropertyEx

CAGetCertTypeProperty

CAGetCertTypeKeySpec

CAGetCertTypeFlagsEx

CAGetCertTypeFlags

CAGetCertTypeExtensionsEx

CAGetCertTypeExtensions

CAGetCertTypeExpiration

CAGetCACertificate

CAFreeCertTypeProperty

CAFreeCertTypeExtensions

CAFindCertTypeByName

CAEnumNextCertType

CAEnumCertTypesForCAEx

CAEnumCertTypesForCA

CAEnumCertTypes

CACountCertTypes

CACloseCertType

CACertTypeAccessCheckEx

CACertTypeAccessCheck

GetAppImport

PeerIdentityImport

PeerIdentityGetCryptKey

PeerIdentityExport

PeerGroupResumePasswordAuthentication

PeerGroupPasswordJoin

PeerGroupJoin

PeerGroupImportDatabase

PeerGroupImportConfig

PeerGroupExportDatabase

PeerGroupExportConfig

PeerGroupCreatePasswordInvitation

PeerCollabExportContact

GetUdpStatisticsEx

GetUdpStatistics

GetTcpStatisticsEx

GetTcpStatistics

DsaopExecuteScript

DsMakePasswordCredentialsW

DsMakePasswordCredentialsA

DsFreePasswordCredentials

EfsUtilGetCurrentKey

PSStringFromPropertyKey

PSPropertyKeyFromString

PSPropertyBag_WritePropertyKey

PSPropertyBag_ReadPropertyKey

PSGetPropertyKeyFromName

PSGetNameFromPropertyKey

__AddMachineCertToLicenseStore

RasIsSharedConnection

MprmsgGetErrorString

SslOpenPrivateKey

SslImportMasterKey

SslImportKey

SslGetKeyProperty

SslGenerateSessionKeys

SslGenerateMasterKey

SslExportKey

SslCreateEphemeralKey

SslComputeEapKeyBlock

NCryptOpenKey

NCryptNotifyChangeKey

NCryptIsKeyHandle

NCryptIsAlgSupported

NCryptImportKey

NCryptFinalizeKey

NCryptExportKey

NCryptEnumKeys

NCryptDeriveKey

NCryptDeleteKey

NCryptCreatePersistedKey

uHttpWaitForDisconnectEx

HttpWaitForDisconnect

HttpWaitForDemandStart

HttpTerminate

HttpShutdownRequestQueue

HttpSetUrlGroupProperty

HttpSetServiceConfiguration

HttpSetServerSessionProperty

HttpSetRequestQueueProperty

HttpSendResponseEntityBody

HttpSendHttpResponse

HttpRemoveUrlFromUrlGroup

HttpRemoveUrl

HttpReceiveRequestEntityBody

HttpReceiveHttpRequest

HttpReceiveClientCertificate

HttpReadFragmentFromCache

HttpQueryUrlGroupProperty

HttpQueryServiceConfiguration

HttpQueryServerSessionProperty

HttpQueryRequestQueueProperty

HttpInitialize

HttpGetCounters

HttpFlushResponseCache

HttpDeleteServiceConfiguration

HttpCreateUrlGroup

HttpCreateServerSession

HttpCreateRequestQueue

HttpCreateHttpHandle

HttpCloseUrlGroup

HttpCloseServerSession

HttpCloseRequestQueue

HttpCancelHttpRequest

HttpAddUrlToUrlGroup

HttpAddUrl

HttpAddFragmentToCache

uUrlMkSetSessionOption

UrlMkGetSessionOption

URLOpenBlockingStreamW

URLOpenBlockingStreamA

URLDownloadToFileW

URLDownloadToFileA

URLDownloadToCacheFileW

URLDownloadToCacheFileA

ResetUrlmonLanguageData

IsValidURL

GetUrlmonThreadNotificationHwnd

GetPortFromUrlScheme

GetMarkOfTheWeb

GetAddSitesFileUrl

CreateURLMonikerEx2

CreateURLMonikerEx

CreateURLMoniker

CoInternetParseUrl

CoInternetIsFeatureEnabledForUrl

CoInternetGetSecurityUrlEx

CoInternetGetSecurityUrl

CoInternetCompareUrl

CoInternetCombineUrlEx

CoInternetCombineUrl

CoGetClassObjectFromURL

acmDriverRemove

acmDriverOpen

acmDriverClose

acmDriverAddW

uxpsrasterservice.dll

xolehlp.dll

xmllite.dll

wtsapi32.dll

wsdapi.dll

ws2_32.dll

wmvcore.dll

wmpmde.dll

wmi.dll

wmdrmsdk.dll

wldap32.dll

wlanutil.dll

wlanhlp.dll

wlanapi.dll

wkscli.dll

wintrust.dll

winsta.dll

winspool.drv

winscard.dll

winnsi.dll

winmm.dll

wininet.dll

winhttp.dll

windowscodecs.dll

winbrand.dll

werui.dll

wer.dll

webservices.dll

webio.dll

wdi.dll

w32topl.dll

vssapi.dll

vpnikeapi.dll

virtdisk.dll

version.dll

vaultcli.dll

uxtheme.dll

uxinit.dll

utildll.dll

usp10.dll

userenv.dll

user32.dll

urlmon.dll

uiautomationcore.dll

ubpm.dll

tdh.dll

tapi32.dll

syssetup.dll

synceng.dll

sti.dll

sspicli.dll

srvcli.dll

srclient.dll

sqmapi.dll

sppc.dll

spinf.dll

spfileq.dll

sndvolsso.dll

slcext.dll

slc.dll

shlwapi.dll

shfolder.dll

shell32.dll

shdocvw.dll

sfmapi.dll

sfc.dll

setupapi.dll

sensapi.dll

secur32.dll

sdiagschd.dll

scecli.dll

scarddlg.dll

samsrv.dll

samlib.dll

samcli.dll

rtutils.dll

rstrtmgr.dll

rpcshim.dll

rpcrt4.dll

rpchttp.dll

regapi.dll

rasman.dll

rasdlg.dll

rasapi32.dll

qwave.dll

query.dll

pstorec.dll

psapi.dll

propsys.dll

profapi.dll

printui.dll

powrprof.dll

pidgenx.dll

pidgen.dll

pcwum.dll

pautoenr.dll

p2pgraph.dll

p2p.dll

opengl32.dll

onexui.dll

onex.dll

oledlg.dll

oleaut32.dll

oleacc.dll

ole32.dll

odbc32.dll

occache.dll

ntshrui.dll

ntmarta.dll

ntlanman.dll

ntdskcc.dll

ntdsetup.dll

ntdsbsrv.dll

ntdsapi.dll

ntdsa.dll

nsi.dll

normaliz.dll

netutils.dll

netshell.dll

netplwiz.dll

netman.dll

netlogon.dll

netjoin.dll

netcfgx.dll

netbios.dll

netapi32.dll

ndfapi.dll

ncrypt.dll

nci.dll

mtxclu.dll

mswsock.dll

mssign32.dll

msrating.dll

msoobeui.dll

msjava.dll

msimg32.dll

msiltcfg.dll

msi.dll

mshtml.dll

msgina.dll

msfeeds.dll

msdrm.dll

msctf.dll

mscat32.dll

msacm32.dll

mqrt.dll

mprmsg.dll

mprapi.dll

mpr.dll

mmdevapi.dll

mlang.dll

mfreadwrite.dll

mfplat.dll

mf.dll

mdedrmstublib.dll

lsasrv.dll

logoncli.dll

loadperf.dll

linkinfo.dll

ktmw32.dll

keymgr.dll

kdcsvc.dll

iphlpapi.dll

inseng.dll

inetcomm.dll

imm32.dll

imgutil.dll

imagehlp.dll

ieui.dll

ieshims.dll

ieframe.dll

ieakeng.dll

iashlpr.dll

httpapi.dll

hnetcfg.dll

hlink.dll

hid.dll

gpsvc.dll

gpapi.dll

gdiplus.dll

gdi32.dll

fxsapi.dll

fwpuclnt.dll

fveapi.dll

fms.dll

firewallapi.dll

explorerframe.dll

evr.dll

esent.dll

elscore.dll

ehtrace.dll

efsutil.dll

efsadu.dll

eappcfg.dll

dxgi.dll

dwmapi.dll

duser.dll

dui70.dll

dsrole.dll

dsound.dll

drvstore.dll

drttransport.dll

drtprov.dll

drt.dll

dnsapi.dll

dhcpcsvc6.dll

dhcpcsvc.dll

dfscli.dll

devrtl.dll

devobj.dll

devmgr.dll

ddraw.dll

dbghelp.dll

dbgeng.dll

davhlpr.dll

d3d9.dll

d3d8.dll

d2d1.dll

cscdll.dll

cscapi.dll

cryptxml.dll

cryptui.dll

cryptsp.dll

cryptnet.dll

cryptdll.dll

cryptdlg.dll

cryptbase.dll

crypt32.dll

credui.dll

comsvcs.dll

comdlg32.dll

comctl32.dll

colbact.dll

clusapi.dll

clbcatq.dll

cfgmgr32.dll

certpoleng.dll

certenroll.dll

certcli.dll

catsrvut.dll

catsrv.dll

cabinet.dll

browcli.dll

bcrypt.dll

avrt.dll

authz.dll

appmgmts.dll

apphelp.dll

api-ms-win-service-winsvc-l1-1-0.dll

api-ms-win-service-management-l2-1-0.dll

api-ms-win-service-management-l1-1-0.dll

api-ms-win-service-core-l1-1-0.dll

api-ms-win-security-sddl-l1-1-0.dll

api-ms-win-security-lsalookup-l1-1-0.dll

advpack.dll

advapi32.dll

activeds.dll

actionqueue.dll

aclui.dll

SetProcessWindowStation

OpenWindowStationW

OpenWindowStationA

MsgWaitForMultipleObjectsEx

MsgWaitForMultipleObjects

GetProcessWindowStation

GetKeyState

EnumDesktopWindows

CloseWindowStation

CM_Open_Class_Key_ExW

CM_MapCrToWin32Err

CM_MapCrToSpErr

uPFXImportCertStore

PFXExportCertStoreEx

PFXExportCertStore

CryptVerifyCertificateSignatureEx

CryptVerifyCertificateSignature

CryptSignCertificate

CryptSignAndEncodeCertificate

CryptMsgUpdate

CryptMsgOpenToEncode

CryptMsgOpenToDecode

CryptMsgGetParam

CryptMsgGetAndVerifySigner

CryptMsgControl

CryptMsgClose

CryptMsgCalculateEncodedLength

CryptImportPublicKeyInfoEx2

CryptImportPublicKeyInfoEx

CryptImportPublicKeyInfo

CryptHashPublicKeyInfo

CryptHashCertificate

CryptGetMessageCertificates

CryptExportPublicKeyInfo

CryptAcquireCertificatePrivateKey

CertVerifyValidityNesting

CertVerifyTimeValidity

CertVerifySubjectCertificateContext

CertStrToNameW

CertStrToNameA

CertSetEnhancedKeyUsage

CertSetCertificateContextProperty

CertSerializeCertificateStoreElement

CertSelectCertificateChains

CertSaveStore

CertRemoveEnhancedKeyUsageIdentifier

CertRegisterPhysicalStore

CertRDNValueToStrW

CertRDNValueToStrA

CertOpenSystemStoreW

CertOpenSystemStoreA

CertOpenStore

CertOIDToAlgId

CertNameToStrW

CertNameToStrA

CertIsRDNAttrsInCertificateName

CertGetSubjectCertificateFromStore

CertGetPublicKeyLength

CertGetNameStringW

CertGetIssuerCertificateFromStore

CertGetIntendedKeyUsage

CertGetEnhancedKeyUsage

CertGetCertificateContextProperty

CertGetCertificateChain

CertGetCTLContextProperty

CertFreeCertificateContext

CertFreeCertificateChainList

CertFreeCertificateChainEngine

CertFreeCertificateChain

CertFreeCTLContext

CertFreeCRLContext

CertFindSubjectInCTL

CertFindRDNAttr

CertFindExtension

CertFindChainInStore

CertFindCertificateInStore

CertFindCTLInStore

CertEnumCertificatesInStore

CertEnumCertificateContextProperties

CertEnumCRLsInStore

CertDuplicateStore

CertDuplicateCertificateContext

CertDuplicateCertificateChain

CertDuplicateCTLContext

CertDeleteCertificateFromStore

CertCreateSelfSignCertificate

CertCreateContext

CertCreateCertificateContext

CertCreateCTLContext

CertCreateCRLContext

CertControlStore

CertComparePublicKeyInfo

CertCompareIntegerBlob

CertCompareCertificateName

CertCompareCertificate

CertCloseStore

CertAddStoreToCollection

CertAddSerializedElementToStore

CertAddEnhancedKeyUsageIdentifier

CertAddEncodedCertificateToStore

CertAddEncodedCRLToStore

CertAddCertificateContextToStore

CertAddCRLContextToStore

CertVerifyCertificateChainPolicy

CryptHashSessionKey

CryptDuplicateKey

TF_RunInputCPL

TF_PostAllThreadMsg

SetupDiReportDeviceInstallError

SetupDiOpenDeviceInterfaceRegKey

SetupDiOpenDevRegKey

SetupDiOpenClassRegKeyExW

SetupDiOpenClassRegKeyExA

SetupDiOpenClassRegKey

SetupDiGetDevicePropertyKeys

SetupDiGetDeviceInterfacePropertyKeys

SetupDiGetClassPropertyKeysExW

SetupDiGetClassPropertyKeys

SetupDiCreateDeviceInterfaceRegKeyW

SetupDiCreateDevRegKeyW

ShellExecuteW

ShellExecuteExW

ShellExecuteExA

ShellExecuteA

SHFileOperationW

SHFileOperationA

FindExecutableW

FindExecutableA

AssocGetDetailsOfPropKey

uSLUnregisterWindowsEvent

SLRegisterWindowsEvent

SLReArmWindows

SLIsWindowsGenuineLocal

SLGetWindowsInformationDWORD

SLGetWindowsInformation

SLConsumeWindowsRight

SetPortW

EnumPrinterKeyW

EnumPortsW

DeletePrinterKeyW

DeletePortW

ConfigurePortW

AddPortW

WTHelperGetProvCertFromChain

TrustIsCertificateSelfSigned

NetUnjoinDomain

NetJoinDomain

NetGetJoinInformation

LOAD: GETMODULEFILENAME failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X

j%Xjp3

SXS: %s() BasepSxsCreateStreams() failed

t.HH;

j.Yf;

PSSSSSSh

Invalid args passed

LOAD: INIT failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X

WTSShutdownSystem

twain_32.dll

SdbReleaseMatchingExe

SdbGetMatchingExe

SdbFindFirstGUIDIndexedTag

ApphelpCheckExe

j.Xf;

.data

UrlUnescapeW

UrlUnescapeA

UrlGetPartW

UrlEscapeW

UrlEscapeA

UrlCombineW

UrlCombineA

UrlCanonicalizeW

UrlCanonicalizeA

UrlApplySchemeW

UrlApplySchemeA

SHEnumKeyExW

SHDeleteKeyW

SHDeleteKeyA

PathIsURLW

PathCreateFromUrlW

uWS_HTTP2_INITIAL_CONNECTION__new

WS_HTTP2_CONNECTION__Initialize

I_RpcTransGetHttpCredentials

I_RpcTransFreeHttpCredentials

HttpSendIdentifyResponse

HTTP_TurnOnOffKeepAlives

HTTP_SyncSend

HTTP_SyncRecv

HTTP_SetLastBufferToFree

HTTP_ServerListen

HTTP_Send

HTTP_Recv

HTTP_QueryLocalAddress

HTTP_QueryClientIpAddress

HTTP_QueryClientId

HTTP_QueryClientAddress

HTTP_Open

HTTP_Initialize

HTTP_FreeResolverHint

HTTP_CopyResolverHint

HTTP_Close

HTTP_Abort

HTTP2WinHttpDirectSend

HTTP2WinHttpDirectReceive

HTTP2WinHttpDelayedReceive

HTTP2TimerReschedule

HTTP2TestHook

HTTP2SocketTransportChannel__SendComplete

HTTP2SocketTransportChannel__ReceiveComplete

HTTP2RecycleChannel

HTTP2ProcessRuntimePostedEvent

HTTP2ProcessComplexTSend

HTTP2ProcessComplexTReceive

HTTP2PlugChannelDirectSend

HTTP2IISSenderDirectSend

HTTP2IISDirectReceive

HTTP2GetRpcConnectionTransport

HTTP2FlowControlChannelDirectSend

HTTP2EpRecvFailed

HTTP2DirectReceive

HTTP2ContinueDrainChannel

HTTP2ChannelDataOriginatorDirectSend

HTTP2AbortConnection

FreeHttpTransportCredentials

DuplicateHttpTransportCredentials

ConvertToUnicodeHttpTransportCredentials

CompareHttpTransportCredentials

TransportAddrFromMtxAddr

MtxAddrFromTransportAddr

DsaExeStartRoutine

DirOperationControl

DSStrToHashKeyExternal

DSNAMEToHashKeyExternal

AttrTypeToKey

SaferiIsExecutableFileType

ReportEventW

ReportEventA

RegUnLoadKeyW

RegSetKeyValueW

RegSetKeySecurity

RegSaveKeyW

RegSaveKeyExW

RegSaveKeyA

RegRestoreKeyW

RegReplaceKeyW

RegRenameKey

RegQueryReflectionKey

RegQueryInfoKeyW

RegQueryInfoKeyA

RegOpenKeyW

RegOpenKeyTransactedW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyA

RegNotifyChangeKeyValue

RegLoadKeyW

RegGetKeySecurity

RegFlushKey

RegEnumKeyW

RegEnumKeyExW

RegEnumKeyA

RegEnableReflectionKey

RegDisableReflectionKey

RegDeleteKeyW

RegDeleteKeyValueW

RegDeleteKeyTransactedW

RegDeleteKeyExW

RegDeleteKeyExA

RegDeleteKeyA

RegCreateKeyW

RegCreateKeyTransactedW

RegCreateKeyExW

RegCreateKeyA

RegCloseKey

GetServiceKeyNameW

GetEventLogInformation

FreeEncryptionCertificateHashList

FreeEncryptedFileKeyInfo

EncryptedFileKeyInfo

ElfReportEventW

Gentee.Installer

RR.Raphael.Install.Builder

ThraexSoftware.AstrumInstallWizard

Roshal.WinRAR.WinRAR

Illustrate.Spoon.Installer

InstallShield.Setup

Nullsoft.NSIS

JR.Inno.Setup

uOSSh

\twain_32.dll

TermsrvSetKeySecurity

TermsrvRestoreKey

TermsrvDeleteKey

TermsrvSetValueKey

tsappcmp.dll

SXS: %s() empty lpSource %ls

SXS: %s() Calling csrss server failed. Status = 0x%x

SXS: %s() NtCreateSection() failed. Status = 0x%x.

SXS: %s() NtMapViewOfSection failed

SXS: %s() NtOpenFile(%wZ) failed

SXS: %s() AssemblyDirectory is not null terminated

SXS: %s() BaseDllMapResourceIdW failed

SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0

SXS: %s() Bad lpAssemblyDirectory %ls

SXS: %s() Bad lpApplication name '%ls'

SXS: %s() Bad lpSource PathType %ls, 0x%lx

SXS: %s() bad wProcessorArchitecture 0x%x

SXS: %s() BaseDllMapResourceIdA failed

SXS: Invalid parameter(s) passed to FindActCtxSection*()

->cbSize = %u

SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed

Kernel32: No mapping for ImageInformation.Machine == x

ConnectConsoleInternal failed with Status 0x%x

NtConnectPort %ws failed with Status 0x%x

SXS: %s() NtQueryInformationFile failed. Status = 0x%x

WaitForMultipleObjects returned with %d

RtlWerpReportException failed with status code :%d. Will try to launch the process directly

WerpReportFault Invalid params passed

WerpHeapFree failed with 0x%x

Too long restart command line passed

t5SSh

StringCchCopy failed with 0x%x

Invalid arg in %s

Invalid block passed

INIT: PID %ld is %S

LOAD: INS failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X

TermsrvLogInstallIniFile

TermsrvGetWindowsDirectoryW

TermsrvGetWindowsDirectoryA

SXS: %s() NtCreateSection() failed. Status = 0x%x

SXS: %s() Null %p or size 0x%lx too small

SXS: %s() Bad flags/size 0x%lx/0x%lx

.debug

.reloc

.rsrc1

.rsrc

SXS: %s() NtOpenFile(%wZ) failed. Status = 0x%x

Invalid args in %s

WerpGetRecoveryInfoForSelf failed with 0x%x

SSSSh

WPSSh

mem16.dll

ImpersonateNamedPipeClient

PSSh?

PWVSSh

{u.j-Yf9H&uùH0u

u%SPd

t SSh

PSSh<

SXS: %s - Failure getting active activation context; ntstatus lx

PVWSSh

VSSHP

GetSystemWindowsDirectory failed or the size was not adequate

StringCchPrintf failed with 0x%x

NtQueryInformationProcess failed with 0x%x

Failed to create the process %S

Failed to get the paths for the crash vertical. Error was 0x%x

NtQueryInformationProcess failed with status: 0x%x

uRtlInitUnicodeStringEx returned 0x%x

NtQueryInformationProcess failed 0x%x

uStringcchcopy failed while copying the debugger path 0x%x

StringCchPrintf failed while printng the debugger commandline with 0x%x

StringCchPrintf failed while printing the debugger path with 0x%x

NtWow64QueryInformationProcess64 failed with 0x%x

NtWow64ReadVirtualMemory64 failed with 0x%x

NtQueryInformationProcess failed with status 0x%x

WerpNtWow64QueryInformationProcess64 failed with status 0x%x

Invalid handle passed

USE: GETMODSTAMP failed PID=%ld | MODNAME=%S | STRID=%ld | hr = %X

USE: GETMODULEVERSION failed PID=%ld | MODNAME=%S | STRID=%ld | hr = %X

USE: Lookup failed PID=%ld | STR=%S | HashModBuckets=%ld

CACHE: Purging node from the cache MOD=%s | STRID=%ld | Flags=%X | HashModBuckets=%ld

KERNEL32.dll

BaseCleanupAppcompatCacheSupport

BaseInitAppcompatCacheSupport

CallNamedPipeA

CallNamedPipeW

CmdBatNotification

ConnectNamedPipe

CreateIoCompletionPort

CreateMutexExA

CreateMutexExW

CreateNamedPipeA

CreateNamedPipeW

CreatePipe

DisconnectNamedPipe

EnumCalendarInfoExEx

EnumDateFormatsExEx

GetCPInfo

GetCPInfoExA

GetCPInfoExW

GetCalendarSupportedDateRange

GetConsoleAliasExesA

GetConsoleAliasExesLengthA

GetConsoleAliasExesLengthW

GetConsoleAliasExesW

GetConsoleInputExeNameA

GetConsoleInputExeNameW

GetConsoleKeyboardLayoutNameA

GetConsoleKeyboardLayoutNameW

GetConsoleOutputCP

GetLargestConsoleWindowSize

GetNamedPipeAttribute

GetNamedPipeClientComputerNameA

GetNamedPipeClientComputerNameW

GetNamedPipeClientProcessId

GetNamedPipeClientSessionId

GetNamedPipeHandleStateA

GetNamedPipeHandleStateW

GetNamedPipeInfo

GetNamedPipeServerProcessId

GetNamedPipeServerSessionId

GetProcessHandleCount

GetProcessHeap

GetProcessHeaps

GetProcessShutdownParameters

GetSystemWindowsDirectoryA

GetSystemWindowsDirectoryW

GetWindowsDirectoryA

GetWindowsDirectoryW

InitOnceExecuteOnce

NeedCurrentDirectoryForExePathA

NeedCurrentDirectoryForExePathW

PeekNamedPipe

RegCreateKeyExA

RegEnumKeyExA

RegLoadKeyA

RegRestoreKeyA

RegSaveKeyExA

RegUnLoadKeyA

RegisterWowExec

SetConsoleInputExeNameA

SetConsoleInputExeNameW

SetConsoleKeyShortcuts

SetConsoleMaximumWindowSize

SetConsoleOutputCP

SetNamedPipeAttribute

SetNamedPipeHandleState

SetProcessShutdownParameters

SetThreadExecutionState

TransactNamedPipe

VDMConsoleOperation

VDMOperationStarted

WaitNamedPipeA

WaitNamedPipeW

WinExec

NTDLL.RtlAcquireSRWLockExclusive

NTDLL.RtlAcquireSRWLockShared

api-ms-win-core-libraryloader-l1-1-0.AddDllDirectory

NTDLL.RtlAddVectoredContinueHandler

NTDLL.RtlAddVectoredExceptionHandler

NTDLL.TpCancelAsyncIoOperation

NTDLL.TpReleasePool

NTDLL.TpReleaseCleanupGroup

NTDLL.TpReleaseCleanupGroupMembers

NTDLL.TpReleaseIoCompletion

NTDLL.TpReleaseTimer

NTDLL.TpReleaseWait

NTDLL.TpReleaseWork

api-ms-win-core-processthreads-l1-1-0.CreateRemoteThreadEx

NTDLL.RtlDecodePointer

NTDLL.RtlDecodeSystemPointer

NTDLL.RtlDeleteBoundaryDescriptor

NTDLL.RtlDeleteCriticalSection

api-ms-win-core-processthreads-l1-1-0.DeleteProcThreadAttributeList

NTDLL.TpDisassociateCallback

NTDLL.RtlEncodePointer

NTDLL.RtlEncodeSystemPointer

NTDLL.RtlEnterCriticalSection

NTDLL.RtlExitUserThread

NTDLL.NtFlushProcessWriteBuffers

NTDLL.TpCallbackUnloadDllOnCompletion

NTDLL.RtlGetCurrentProcessorNumber

NTDLL.RtlGetCurrentProcessorNumberEx

api-ms-win-core-sysinfo-l1-1-0.GetLogicalProcessorInformationEx

NTDLL.RtlAllocateHeap

NTDLL.RtlReAllocateHeap

NTDLL.RtlSizeHeap

NTDLL.RtlRunOnceInitialize

NTDLL.RtlInitializeConditionVariable

NTDLL.RtlInitializeCriticalSection

api-ms-win-core-processthreads-l1-1-0.InitializeProcThreadAttributeList

NTDLL.RtlInitializeSListHead

NTDLL.RtlInitializeSRWLock

NTDLL.RtlInterlockedCompareExchange64

NTDLL.RtlInterlockedFlushSList

NTDLL.RtlInterlockedPopEntrySList

NTDLL.RtlInterlockedPushEntrySList

NTDLL.RtlInterlockedPushListSList

NTDLL.TpIsTimerSet

NTDLL.RtlLeaveCriticalSection

NTDLL.TpCallbackLeaveCriticalSectionOnCompletion

api-ms-win-core-processthreads-l1-1-0.OpenProcessToken

api-ms-win-core-processthreads-l1-1-0.OpenThreadToken

NTDLL.RtlQueryDepthSList

NTDLL.TpCallbackReleaseMutexOnCompletion

NTDLL.RtlReleaseSRWLockExclusive

NTDLL.RtlReleaseSRWLockShared

NTDLL.TpCallbackReleaseSemaphoreOnCompletion

api-ms-win-core-libraryloader-l1-1-0.RemoveDllDirectory

NTDLL.RtlRemoveVectoredContinueHandler

NTDLL.RtlRemoveVectoredExceptionHandler

NTDLL.RtlRestoreLastWin32Error

NTDLL.RtlMoveMemory

NTDLL.RtlZeroMemory

NTDLL.RtlSetCriticalSectionSpinCount

api-ms-win-core-libraryloader-l1-1-0.SetDefaultDllDirectories

NTDLL.TpCallbackSetEventOnCompletion

api-ms-win-core-processthreads-l1-1-0.SetThreadToken

NTDLL.TpSetPoolMaxThreads

NTDLL.TpSetTimer

NTDLL.TpSetWait

api-ms-win-core-threadpool-l1-1-0.SetWaitableTimerEx

NTDLL.TpStartAsyncIoOperation

NTDLL.TpPostWork

NTDLL.RtlTryAcquireSRWLockExclusive

NTDLL.RtlTryAcquireSRWLockShared

NTDLL.RtlTryEnterCriticalSection

api-ms-win-core-processthreads-l1-1-0.UpdateProcThreadAttribute

NTDLL.VerSetConditionMask

NTDLL.TpWaitForIoCompletion

NTDLL.TpWaitForTimer

NTDLL.TpWaitForWait

NTDLL.TpWaitForWork

NTDLL.RtlWakeAllConditionVariable

NTDLL.RtlWakeConditionVariable

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Core-Profile-L1-1-0.dll

API-MS-Win-Core-Util-L1-1-0.dll

API-MS-Win-Core-Fibers-L1-1-0.dll

API-MS-Win-Core-ErrorHandling-L1-1-0.dll

API-MS-Win-Core-Debug-L1-1-0.dll

API-MS-Win-Core-String-L1-1-0.dll

API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll

API-MS-Win-Core-Localization-L1-1-0.dll

API-MS-Win-Core-SysInfo-L1-1-0.dll

API-MS-Win-Core-Misc-L1-1-0.dll

API-MS-Win-Core-NamedPipe-L1-1-0.dll

API-MS-Win-Core-LibraryLoader-L1-1-0.dll

API-MS-Win-Core-ThreadPool-L1-1-0.dll

API-MS-Win-Core-IO-L1-1-0.dll

API-MS-Win-Core-File-L1-1-0.dll

API-MS-Win-Core-Synch-L1-1-0.dll

API-MS-Win-Core-Handle-L1-1-0.dll

API-MS-Win-Core-Memory-L1-1-0.dll

API-MS-Win-Core-Heap-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNELBASE.dll

ntdll.dll

API-MS-Win-Core-RtlSupport-L1-1-0.dll

NtNotifyChangeKey

RtlComputeImportTableHash

RtlRunOnceExecuteOnce

NtSetThreadExecutionState

LdrQueryImageFileExecutionOptions

NtCreateKeyTransacted

NtDeleteValueKey

NtEnumerateKey

RtlFormatCurrentUserKeyPath

NtEnumerateValueKey

NtCreateKey

NtSetValueKey

NtFlushKey

NtOpenKey

NtQueryValueKey

LdrQueryImageFileKeyOption

NtYieldExecution

NtRequestWaitReplyPort

NtConnectPort

NtOpenKeyTransacted

NtQueryKey

NtOpenKeyEx

NtOpenKeyTransactedEx

NtDeleteKey

NtLoadKey

NtUnloadKey

NtNotifyChangeMultipleKeys

NtRestoreKey

NtSaveKeyEx

RtlWerpReportException

WerReportSQMEvent

BaseGetProcessExePath

OpenRegKey

GetCPHashNode

BaseReleaseProcessExePath

kernel32.pdb

; ;$;(;,;0;4;

> >$>(>,>

4 4$4(4,4044484

6 6$6(6,60646

0 0$0(0,00040

8 8$8(8,8

? ?$?(?,?0?4?8?

< <$<(<,<0<4<

094989<9

; ;$;(;,;0;4;8;<;

7 7$7(7,70747

=,>0><>|>

<,>0>8><>

121c1/2`2

:":\:&;>;};

6 7$7(7,7074787<7@7

2$2*2/2?2

cmd /c

\Registry\Machine\Software\Policies\Microsoft\Windows\System

win.ini

.Manifest

.Config

\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR

\Windows

hotkey.

Software\Microsoft\Windows NT\CurrentVersion\Windows

sortdefault.nls

\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide

windows seven

windows vista

\Software\Microsoft\Windows NT\CurrentVersion

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls

\Registry\MACHINE\Software\Policies\Microsoft\Windows\AppCompat

\system32\apphelp.dll

InstallShield Self-extracting EXE

Autoextractor EXE de InstallShield

hrbares Programm EXE

PackageForTheWeb

PackageForTheWeb Fehler

PackageForTheWeb Error

Setup cannot start the program _Setup.exe

Setup couldn't decompress the file '%s'.

\\.\MountPointManager

\\?\UNC\

ADVAPI32.DLL

\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

pNullsoft.NSIS

.Local

~RF%4x.TMP

hotkey.%u %s

wowexec.pif

EmbdTrst.DLL

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

csrstub.exe %d -P %ws

WINDOWS

hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings

Application.Manifest

\\?\GLOBALROOT

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

\wmrtrace.dmp

DNSAPI.DLL

"/\[]:|<> =;,?

\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters

\REGISTRY\USER\.DEFAULT

AppCertDlls

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

pwinmail.exe

wmplayer.exe

outlook.exe

explorer.exe

iexplore.exe

ntsd.exe

cdb.exe

windbg.exe

PendingFileRenameOperations%d

PendingFileRenameOperations

%ws%u\DosDevices\%ws

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server

serialui.dll

"%s\ntvdm.exe" %s%c

"%s\ntvdm.exe" -i%lx %s%c

\KernelObjects\SystemErrorPortReady

%systemroot%\system32\ntdll.dll

\\.\PhysicalDrive%lu

%s -u -p %d -s %I64d

%s\%s

WerFault.exe

WerFaultSecure.exe

%s\system32\%s

sntdll.dll

\Software\Microsoft\Windows\Windows Error Reporting\WMR

!"#$%&'()* ,

Windows NT BASE API Client DLL

6.1.7601.17651 (win7sp1_gdr.110715-1504)

Windows

Operating System

6.1.7601.17651

%original file name%.exe_3700_rwx_01BD0000_000CA000:

.nlu2nlu

tSSSh

=.cmd

=.pif

=.lnk

=.com

=.bat

6SSSSh

USER32.dll

ActivateKeyboardLayout

ArrangeIconicWindows

CallMsgFilter

CallMsgFilterA

CallMsgFilterW

CascadeChildWindows

CascadeWindows

CliImmSetHotKey

CloseWindowStation

CreateDialogIndirectParamA

CreateDialogIndirectParamAorW

CreateDialogIndirectParamW

CreateWindowStationA

CreateWindowStationW

DisableProcessWindowsGhosting

DisplayExitWindowsWarnings

EnumChildWindows

EnumDesktopWindows

EnumThreadWindows

EnumWindowStationsA

EnumWindowStationsW

EnumWindows

ExitWindowsEx

GetAsyncKeyState

GetKeyNameTextA

GetKeyNameTextW

GetKeyState

GetKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

GetKeyboardState

GetKeyboardType

GetProcessWindowStation

LoadKeyboardLayoutA

LoadKeyboardLayoutEx

LoadKeyboardLayoutW

LockWindowStation

MapVirtualKeyA

MapVirtualKeyExA

MapVirtualKeyExW

MapVirtualKeyW

MsgWaitForMultipleObjects

MsgWaitForMultipleObjectsEx

OemKeyScan

OpenWindowStationA

OpenWindowStationW

RegisterErrorReportingDialog

RegisterHotKey

RegisterSessionPort

SetKeyboardState

SetProcessWindowStation

SetWindowStationUser

SetWindowsHookA

SetWindowsHookExA

SetWindowsHookExW

SetWindowsHookW

SfmDxReportPendingBindingsToDwm

TileChildWindows

TileWindows

UnhookWindowsHook

UnhookWindowsHookEx

UnloadKeyboardLayout

UnlockWindowStation

UnregisterHotKey

UnregisterSessionPort

VkKeyScanA

VkKeyScanExA

VkKeyScanExW

VkKeyScanW

WINNLSGetIMEHotkey

keybd_event

luC.ju

CtfImmGetCompatibleKeyboardLayout

CtfImmSetDefaultRemoteKeyboardLayout

ImmProcessKey

nuSSSSh

tcPPWS

PSShTKlu

PSSh0Klu

F\ FTP

~,SSSh

*9]0t#SShH\hu

t(SShW

PSShH

tWSh&.nu

ADVAPI32.dll

CFGMGR32.dll

MSIMG32.dll

POWRPROF.dll

WINSTA.dll

ReportEventW

CM_MapCrToWin32Err

KERNEL32.dll

GDI32.dll

ntdll.dll

RtlCheckRegistryKey

NtYieldExecution

NtCreateKey

NtSetValueKey

NtDeleteValueKey

NtEnumerateKey

NtOpenKey

NtQueryValueKey

GetViewportOrgEx

SetViewportOrgEx

GetViewportExtEx

GetCPInfo

GetSystemWindowsDirectoryW

RegOpenKeyExW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyExW

user32.pdb

windows.hlp

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

%DvttxxxxxxxxxxkL

&)-.CFDA86ANXYYUUUNna

$ .CC|

**$**$*$)0

' "$ $ *$'

8==???//3

9@==??<42

,446666,,$

"", ,',"!

jjk%xxy

jjk`jjk%xxy

>7;?__?;7>

%D=9;

.AG ,,H,a

 $ $ $$ $*$'%

.)***'***

FK;% %Sbd#

\;0-0----1--1-//1?7|

=:640)0#

=7:4##)4#

=:440)0)##

7440)))4#"

?<:4404)40##"!!

7:4)44)))#""!!

=<:744744))#""!!

=<47474744))""!!!

=<747474444)#""!!

=<<4777747)4#""

<7<77774444)"""

<77774 444###"""!!!

<<<: 44##"""

<<4 4###"

<<: 4##"

")355886''

.ziw ~y

@@@{9998

wtUUeUQ3"%U

wwtUUUe@B%UU

4W5X5

6B8N8T8‘9S9b9h9

88W8^8q8

<&<,<6<<<

0 5&53595e6

3,343^3~3

csrsrv.dll

\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3

\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3

kbdus.dll

Keyboard Layout\Preload

\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\

Control Panel\Input Method\Hot Keys

Virtual Key

Key Modifiers

keyboardlayout.ini

imm32.dll

Software\Policies\Microsoft\Windows NT\Reliability

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows

\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Media Center\

\Registry\Machine\Software\Microsoft\Windows\Tablet PC\

POWRPROF.DLL

\Windows\WindowStations

\Windows

IMM32.DLL

&%d %ws

\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\

IgnoreRemoteKeyboardLayout

Keyboard Layout

kbdkor.dll

kbdjpn.dll

\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout

\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3

Hot Keys

00000409

\winhlp32.exe

x:\...\

OLE32.DLL

%SystemRoot%\System32\user32.dll

%s\%d

Software\Microsoft\Windows\CurrentVersion\Reliability

hh.exe

indicdll.dll

Multi-User Windows USER API Client DLL

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Windows

Operating System

6.1.7601.17514

%original file name%.exe_3700_rwx_01CA0000_000A1000:

mpr.dll

ldap_msgfree

1.2.840.113556.1.4.529

wldap32.dll

PSSShd%

ADVAPI32.dll

CryptDeriveKey

CryptDestroyKey

CryptDuplicateKey

CryptExportKey

CryptGenKey

CryptGetKeyParam

CryptGetUserKey

CryptHashSessionKey

CryptImportKey

CryptSetKeyParam

ElfReportEventA

ElfReportEventAndSourceW

ElfReportEventW

EncryptedFileKeyInfo

FreeEncryptedFileKeyInfo

FreeEncryptionCertificateHashList

GetEventLogInformation

GetMultipleTrusteeOperationA

GetMultipleTrusteeOperationW

GetServiceKeyNameA

GetServiceKeyNameW

GetWindowsAccountDomainSid

ImpersonateNamedPipeClient

LogonUserExExW

MSChapSrvChangePassword

MSChapSrvChangePassword2

RegCloseKey

RegCreateKeyA

RegCreateKeyExA

RegCreateKeyExW

RegCreateKeyTransactedA

RegCreateKeyTransactedW

RegCreateKeyW

RegDeleteKeyA

RegDeleteKeyExA

RegDeleteKeyExW

RegDeleteKeyTransactedA

RegDeleteKeyTransactedW

RegDeleteKeyValueA

RegDeleteKeyValueW

RegDeleteKeyW

RegDisableReflectionKey

RegEnableReflectionKey

RegEnumKeyA

RegEnumKeyExA

RegEnumKeyExW

RegEnumKeyW

RegFlushKey

RegGetKeySecurity

RegLoadAppKeyA

RegLoadAppKeyW

RegLoadKeyA

RegLoadKeyW

RegNotifyChangeKeyValue

RegOpenKeyA

RegOpenKeyExA

RegOpenKeyExW

RegOpenKeyTransactedA

RegOpenKeyTransactedW

RegOpenKeyW

RegOverridePredefKey

RegQueryInfoKeyA

RegQueryInfoKeyW

RegQueryReflectionKey

RegRenameKey

RegReplaceKeyA

RegReplaceKeyW

RegRestoreKeyA

RegRestoreKeyW

RegSaveKeyA

RegSaveKeyExA

RegSaveKeyExW

RegSaveKeyW

RegSetKeySecurity

RegSetKeyValueA

RegSetKeyValueW

RegUnLoadKeyA

RegUnLoadKeyW

ReportEventA

ReportEventW

SaferiIsExecutableFileType

SetUserFileEncryptionKey

SetUserFileEncryptionKeyEx

WmiExecuteMethodA

WmiExecuteMethodW

KERNELBASE.AddMandatoryAce

ntdll.EtwCreateTraceInstanceId

ntdll.EtwEventActivityIdControl

ntdll.EtwEventEnabled

ntdll.EtwEventProviderEnabled

ntdll.EtwEventRegister

ntdll.EtwEventUnregister

ntdll.EtwEventWrite

ntdll.EtwEventWriteEndScenario

ntdll.EtwEventWriteStartScenario

ntdll.EtwEventWriteString

ntdll.EtwEventWriteTransfer

ntdll.EtwGetTraceEnableFlags

ntdll.EtwGetTraceEnableLevel

ntdll.EtwGetTraceLoggerHandle

KERNELBASE.IsValidRelativeSecurityDescriptor

NTDLL.MD4Final

NTDLL.MD4Init

NTDLL.MD4Update

NTDLL.MD5Final

NTDLL.MD5Init

NTDLL.MD5Update

pcwum.PerfCreateInstance

pcwum.PerfDecrementULongCounterValue

pcwum.PerfDecrementULongLongCounterValue

pcwum.PerfDeleteInstance

pcwum.PerfIncrementULongCounterValue

pcwum.PerfIncrementULongLongCounterValue

pcwum.PerfQueryInstance

pcwum.PerfSetCounterRefValue

pcwum.PerfSetCounterSetInfo

pcwum.PerfSetULongCounterValue

pcwum.PerfSetULongLongCounterValue

pcwum.PerfStartProvider

pcwum.PerfStartProviderEx

pcwum.PerfStopProvider

ntdll.EtwRegisterTraceGuidsA

ntdll.EtwRegisterTraceGuidsW

CRYPTSP.CheckSignatureInFile

ntdll.EtwLogTraceEvent

ntdll.EtwTraceEventInstance

ntdll.EtwTraceMessage

ntdll.EtwTraceMessageVa

ntdll.EtwUnregisterTraceGuids

\[%D@

PSSSSSSh

PSSSSSSh#

PSSSSSSh

PSSSSSSh

(PSSSSSSh

0PSSSSSSh

8PSSSSSSh

v(SSSSSSh

PSSSSSSh!

d:\w7rtm\minkernel\screg\winreg\perflib\manifest.c

CloseWindowStation

GetProcessWindowStation

MsgWaitForMultipleObjects

d:\w7rtm\minkernel\screg\winreg\perflib\extinit.c

d:\w7rtm\minkernel\screg\winreg\perflib\utils.c

d:\w7rtm\minkernel\screg\winreg\perflib\perflib.c

d:\w7rtm\minkernel\screg\winreg\perflib\extquery.c

d:\w7rtm\minkernel\screg\winreg\perflib\perfname.c

d:\w7rtm\minkernel\screg\winreg\perflib\migrate.c

TermsrvSetKeySecurity

TermsrvRestoreKey

TermsrvDeleteKey

TermsrvSetValueKey

tsappcmp.dll

d:\w7rtm\minkernel\screg\winreg\regbase\perflibc.c

d:\w7rtm\minkernel\screg\winreg\perflib\perflibc.c

d:\w7rtm\minkernel\screg\winreg\perflib\pcwconsumer.c

Unable to locate init routine, error = %d

Unable to load client dll, error = %d

SamiChangePasswordUser2

SamiChangePasswordUser

ShellExecuteExW

AccProvGetOperationResults

AccProvCancelOperation

SetupDiOpenDevRegKey

WSShP

u%9x$u/9p

CRYPTSP.dll

WINTRUST.dll

SspiCli.dll

USER32.dll

bcrypt.dll

API-MS-Win-Security-LSALookup-L1-1-0.dll

pcwum.dll

SetProcessWindowStation

RPCRT4.dll

KERNEL32.dll

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-NamedPipe-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-WIN-Service-Management-L2-1-0.dll

API-MS-WIN-Service-Management-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

KERNELBASE.dll

ntdll.dll

msvcrt.dll

RtlRunOnceExecuteOnce

NtOpenKey

NtQueryValueKey

NtQueryKey

NtCreateKey

NtSetValueKey

NtDeleteKey

NtEnumerateKey

RtlFormatCurrentUserKeyPath

NtDelayExecution

EtwpGetCpuSpeed

NtRenameKey

NtLoadKeyEx

NtCreateKeyTransacted

NtOpenKeyTransacted

NtQueryMultipleValueKey

NtOpenKeyEx

NtOpenKeyTransactedEx

NtReplaceKey

NtSaveKey

NtSaveMergedKeys

GetSystemWindowsDirectoryW

GetProcessHeap

advapi32.pdb

KEYWt

KEYWX

KEYW

KEYWp

KEYWD

KEYWL

KEYW,

2$3(30343

2 2&212>2

88C8P8X8

7$7,727=7

3&4/454:4

4(6,60646

>$?(?4?\?

5%6U6n7

4 42474^4

<$=(=4=>=_>

1$2(20242<2@2

; ;$;,;0;

20252[2`2

7Ÿ9

1 2$2(2,2

%s\u

x-x-x-xx-xxxxxx

\PIPE\

cryptbase.dll

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Windows NT Network Provider

\\.\WMIDataDevice

lX-X-X-XX-XXXXXX

Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

%HKEY_LOCAL_MACHINE

%HKEY_CURRENT_USER

\Registry\Machine\Software\Policies\Microsoft\Windows\Safer

\Software\Policies\Microsoft\Windows\Safer

\UrlZones

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

ncacn_ip_tcp

nrpcrt4.dll

%SystemRoot%\

%SystemRoot%\System32\Drivers\

user32.dll

msiltcfg.dll

Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt

Export

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

\SystemRoot\system32\perf0000.dat

%SystemRoot%\Debug\UserMode\appmgmt.bak

APPMGMT (%x.%x) d:d:d:d

%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}

certificate

PerfDbg.Etl

C:\perfdbg.etl

$winnt$.inf

\SystemRoot\system32\prf00000.dat

127.0.0.1

{lx-x-x-xx-xxxxxx}

UrlZones

DisallowExecution

setupapi.dll

advapi32.dll

iphlpapi.dll

\PIPE\winreg

perfh016.dat

perfc016.dat

perfh004.dat

perfc004.dat

feclient.dll

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server

samlib.dll

LsarpcClientAllowRemotedSecretOperations

SupportUrl

Wshell32.dll

CEvents::Report called with more params then expected!

8c7daf44-b6dc-11d1-9a4c-0020af6e7c57

%SystemRoot%\Debug\UserMode\appmgmt.log

{x-x-x-xx-xxxxxx}

\Device\Video%d

WHardwareInformation.BiosString

HardwareInformation.AdapterString

HardwareInformation.DacType

HardwareInformation.ChipType

HardwareInformation.MemorySize

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

\Device\Harddisk%u\Partition0

\\.\%s

Target%d

WindowsShutdown

765294BA-60BC-48B8-92E9-89FD77769D91

ws2_32.dll

NOT_TCPIP

%ws\%ws.tmp

ncacn_nb_tcp

\PIPE\InitShutdown

Advanced Windows 32 Base API

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Windows

Operating System

6.1.7601.17514

Microsoft-Windows-Kernel-WDI/Analytic

Microsoft-Windows-Kernel-WDI/Debug

Microsoft-Windows-Kernel-WDI/Operational

Keyword

KERNEL_GENERAL_KEYWORD_TIME

Microsoft-Windows-Kernel-Process/Analytic

ReadOperationCount

WriteOperationCount

WINEVENT_KEYWORD_PROCESS

WINEVENT_KEYWORD_THREAD

WINEVENT_KEYWORD_IMAGE

WINEVENT_KEYWORD_CPU_PRIORITY

WINEVENT_KEYWORD_OTHER_PRIORITY

Microsoft-Windows-Kernel-Registry/Analytic

KeyObject

KeyName

CreateKey

OpenKey

DeleteKey

QueryKey

SetValueKey

DeleteValueKey

QueryValueKey

EnumerateKey

EnumerateValueKey

QueryMultipleValueKey

SetInformationKey

FlushKey

CloseKey

QuerySecurityKey

SetSecurityKey

Microsoft-Windows-Kernel-PnP/Diagnostic

Pnp:DpReplace.ExtendedStatusMap

SqmWindowsSessionId

Microsoft-Windows-Kernel-Acpi/Diagnostic

Microsoft-Windows-International/Operational

RegistryKey

Operation

Microsoft-Windows-User-Loader/Analytic

USER_LOADER_KEYWORD_DEPRECATED_DLL

Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic

Microsoft-Windows-Kernel-Prefetch/Diagnostic

Microsoft-Windows-UAC/Operational

Microsoft-Windows-COM/Analytic

/hXXp://schemas.microsoft.com/win/2004/08/events

DhXXp://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0

Microsoft-Windows-MUI/Operational

Microsoft-Windows-MUI/Admin

Microsoft-Windows-MUI/Analytic

Microsoft-Windows-MUI/Debug

Microsoft-Windows-Kernel-Network/Analytic

dport

sport

KERNEL_NETWORK_OPCODE_TCPCOPY

KERNEL_NETWORK_OPCODE_SENDUDP

KERNEL_NETWORK_OPCODE_RECVUDP

KERNEL_NETWORK_OPCODE_FAILUDP

KERNEL_NETWORK_TASK_TCPIP

KERNEL_NETWORK_TASK_UDPIP

KERNEL_NETWORK_KEYWORD_IPV4

KERNEL_NETWORK_KEYWORD_IPV6

Microsoft-Windows-Kernel-Disk/Analytic

Microsoft-Windows-Kernel-EventTracing/Admin

Microsoft-Windows-Kernel-EventTracing/Analytic

ETW_KEYWORD_SESSION

ETW_KEYWORD_PROVIDER

Microsoft-Windows-Kernel-Boot/Analytic

Microsoft-Windows-Kernel-File/Analytic

FileKey

OperationEnd

KERNEL_FILE_KEYWORD_FILENAME

KERNEL_FILE_KEYWORD_FILEIO

KERNEL_FILE_KEYWORD_OP_END

KERNEL_FILE_KEYWORD_CREATE

KERNEL_FILE_KEYWORD_READ

KERNEL_FILE_KEYWORD_WRITE

KERNEL_FILE_KEYWORD_DELETE_PATH

KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH

KERNEL_FILE_KEYWORD_CREATE_NEW_FILE

Microsoft-Windows-PCI/Diagnostic

Microsoft-Windows-Kernel-StoreMgr/Analytic

Microsoft-Windows-Kernel-StoreMgr/Operational

CacheTerminationMsgMap

StoreMgrCorruptPageMsgMap

DataKey

StoreKey

StoreFileKey

Microsoft-Windows-Kernel-Memory/Analytic

KERNEL_MEM_KEYWORD_MEMINFO

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\zz_1235k_com[1].htm (20 bytes)
C:\%original file name%.exe (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\core[1].js (766 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pic1[1].gif (428 bytes)
C:\AppData\AppConfig.ini (40 bytes)
C:\AppData\QS.db (83 bytes)
C:\AppData\QS.db-journal (1638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YVO1QEAO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IF7ACF98.txt (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\L6GP1A49.txt (116 bytes)
C:\AppLink\sql.dll (1677 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].gif (43 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_99b70f3517

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_99b70f3517

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet