3.5
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.77
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | MBR:Plite-I [Rtk] | 20200425 | 18.4.3895.0 |
| Baidu | Win32.Rootkit.Agent.s | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200426 | 2013.8.14.323 |
| McAfee | Trojan-FRMF!1707C18EA951 | 20200426 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b0a06d | 20200426 | 1.0.0.1 |
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545297.9225 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545389.43775 IsDebuggerPresent |
failed | 0 | 0 |
观察到命令行控制台输出
(32 个事件)
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | ashdhas |
| section | .adata |
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | IDR_BINARY |
动态指标
在 PE 资源中识别到外语
(24 个事件)
| name | IDR_BINARY | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00030668 | size | 0x0000390d | ||||||||||||||||||
| name | IDR_BINARY | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00030668 | size | 0x0000390d | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041284 | size | 0x00000468 | ||||||||||||||||||
| name | RT_MENU | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0003f678 | size | 0x0000004a | ||||||||||||||||||
| name | RT_DIALOG | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0003f6c4 | size | 0x00000194 | ||||||||||||||||||
| name | RT_STRING | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0003f858 | size | 0x00000048 | ||||||||||||||||||
| name | RT_ACCELERATOR | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x0003f8a0 | size | 0x00000010 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041194 | size | 0x00000076 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_KOREAN | filetype | None | sublanguage | SUBLANG_KOREAN | offset | 0x00041194 | size | 0x00000076 | ||||||||||||||||||
在文件系统上创建可执行文件
(3 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\_uninsep.bat |
| file | C:\Users\Administrator\AppData\Local\Temp\ujmuq.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\tozaz.exe |
投放一个二进制文件并执行它
(3 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tozaz.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\_uninsep.bat |
| file | C:\Users\Administrator\AppData\Local\Temp\ujmuq.exe |
将可执行文件投放到用户的 AppData 文件夹
(3 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\tozaz.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\ujmuq.exe |
一个进程创建了一个隐藏窗口
(2 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(5 个事件)
| host | 218.54.31.226 | |||
| host | 114.114.114.114 | |||
| host | 1.234.83.146 | |||
| host | 218.54.31.165 | |||
| host | 133.242.129.155 | |||
从磁盘删除已执行的文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\_uninsep.bat |
文件已被 VirusTotal 上 56 个反病毒引擎识别为恶意
(50 out of 56 个事件)
| ALYac | Trojan.GenericKD.42282840 |
| APEX | Malicious |
| AVG | MBR:Plite-I [Rtk] |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.42282840 |
| AhnLab-V3 | Malware/Win32.Generic.C2991726 |
| Antiy-AVL | Trojan/Win32.Swisyn |
| Arcabit | Trojan.Generic.D2852F58 |
| Avast | MBR:Plite-I [Rtk] |
| Avira | TR/Urelas.zvmfv |
| Baidu | Win32.Rootkit.Agent.s |
| BitDefender | Trojan.GenericKD.42282840 |
| BitDefenderTheta | AI:Packer.25A37E0120 |
| Bkav | W32.AIDetectVM.malware |
| Comodo | TrojWare.Win32.Urelas.DAQ@5qwr5f |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.ea9515 |
| Cylance | Unsafe |
| Cyren | W32/Urelas.E.gen!Eldorado |
| DrWeb | Trojan.AVKill.33153 |
| ESET-NOD32 | a variant of Win32/Urelas.V |
| Emsisoft | Trojan.GenericKD.42282840 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Urelas.E.gen!Eldorado |
| F-Secure | Trojan.TR/Urelas.zvmfv |
| FireEye | Generic.mg.1707c18ea95150d7 |
| Fortinet | W32/Swisyn.PFF!tr |
| GData | Trojan.GenericKD.42282840 |
| Ikarus | Trojan.Win32.Urelas |
| Invincea | heuristic |
| Jiangmin | Trojan/Jorik.hnny |
| K7AntiVirus | Backdoor ( 0053e8561 ) |
| K7GW | Backdoor ( 0053e8561 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=82) |
| Malwarebytes | Trojan.MalPack.UKN |
| MaxSecure | Trojan.Malware.121218.susgen |
| McAfee | Trojan-FRMF!1707C18EA951 |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.dm |
| MicroWorld-eScan | Trojan.GenericKD.42282840 |
| Microsoft | Trojan:Win32/Urelas.AA |
| NANO-Antivirus | Trojan.Win32.AVKill.eejeyr |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM41.1.D173.Malware.Gen |
| Rising | Trojan.Urelas!1.9D87 (RDMK:cmRtazodWU6LL1WqIvzgOh4aG0g9) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/Urelas-Q |
| Tencent | Malware.Win32.Gencirc.10b0a06d |
| VBA32 | BScope.Trojan.AVKill |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(4 个事件)
| dead_host | 218.54.31.226:11110 |
| dead_host | 1.234.83.146:11170 |
| dead_host | 218.54.31.165:11110 |
| dead_host | 133.242.129.155:11110 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2013-07-21 21:33:11
PE Imphash
577c9bf9376c6b924c828cb5b26fac76
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x00022000 | 0x00021200 | 6.552049631423334 |
| .rdata | 0x00023000 | 0x00008000 | 0x00007e00 | 5.208309152505161 |
| .data | 0x0002b000 | 0x00005000 | 0x00001a00 | 3.662582776026738 |
| .rsrc | 0x00030000 | 0x00010000 | 0x00010000 | 2.847670610124803 |
| ashdhas | 0x00040000 | 0x0000d000 | 0x0000ca00 | 4.5680667450210155 |
| .adata | 0x0004d000 | 0x00001000 | 0x00000000 | 0.0 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| IDR_BINARY | 0x00030668 | 0x0000390d | LANG_KOREAN | SUBLANG_KOREAN | None |
| IDR_BINARY | 0x00030668 | 0x0000390d | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ICON | 0x00041284 | 0x00000468 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_MENU | 0x0003f678 | 0x0000004a | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_DIALOG | 0x0003f6c4 | 0x00000194 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_STRING | 0x0003f858 | 0x00000048 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_ACCELERATOR | 0x0003f8a0 | 0x00000010 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_GROUP_ICON | 0x00041194 | 0x00000076 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_GROUP_ICON | 0x00041194 | 0x00000076 | LANG_KOREAN | SUBLANG_KOREAN | None |
| RT_MANIFEST | 0x0004113c | 0x00000056 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x423014 CreateThread
• 0x423018 GetTempPathW
• 0x42301c GetSystemDirectoryW
• 0x423020 DeleteFileW
• 0x423024 GetModuleHandleW
• 0x423028 FindResourceW
• 0x42302c SizeofResource
• 0x423030 LoadResource
• 0x423034 LockResource
• 0x423038 FreeResource
• 0x42303c MultiByteToWideChar
• 0x423040 GetVersionExW
• 0x423044 CreateFileW
• 0x423048 GetFileSizeEx
• 0x42304c GetLastError
• 0x423050 GetCurrentProcessId
• 0x423054 TerminateProcess
• 0x423058 GetModuleHandleA
• 0x42305c GetProcAddress
• 0x423060 GetTempPathA
• 0x423064 GetModuleFileNameA
• 0x423068 CreateFileA
• 0x42306c WriteFile
• 0x423070 ReadFile
• 0x423074 SetFilePointer
• 0x423078 CreateEventW
• 0x42307c DeviceIoControl
• 0x423080 SystemTimeToFileTime
• 0x423084 GetCurrentDirectoryW
• 0x423088 LocalFileTimeToFileTime
• 0x42308c WideCharToMultiByte
• 0x423090 CreateDirectoryW
• 0x423094 SetFileTime
• 0x423098 SetFileAttributesW
• 0x42309c SetEndOfFile
• 0x4230a0 GetLocaleInfoA
• 0x4230a4 GetStringTypeW
• 0x4230a8 GetStringTypeA
• 0x4230ac HeapSize
• 0x4230b0 WriteConsoleW
• 0x4230b4 GetConsoleOutputCP
• 0x4230b8 WriteConsoleA
• 0x4230bc LoadLibraryA
• 0x4230c0 CloseHandle
• 0x4230c4 OpenEventW
• 0x4230c8 GetFileAttributesW
• 0x4230cc Sleep
• 0x4230d0 GetTickCount
• 0x4230d4 ExitProcess
• 0x4230d8 FlushFileBuffers
• 0x4230dc GetModuleFileNameW
• 0x4230e0 SetStdHandle
• 0x4230e4 InitializeCriticalSection
• 0x4230e8 GetSystemTimeAsFileTime
• 0x4230ec QueryPerformanceCounter
• 0x4230f0 GetCommandLineW
• 0x4230f4 GetCommandLineA
• 0x4230f8 GetEnvironmentStringsW
• 0x4230fc FreeEnvironmentStringsW
• 0x423100 GetEnvironmentStrings
• 0x423104 FreeEnvironmentStringsA
• 0x423108 LCMapStringW
• 0x42310c LCMapStringA
• 0x423110 GetOEMCP
• 0x423114 GetACP
• 0x423118 GetCPInfo
• 0x42311c RaiseException
• 0x423120 InterlockedDecrement
• 0x423124 GetCurrentThreadId
• 0x423128 SetLastError
• 0x42312c InterlockedIncrement
• 0x423130 HeapAlloc
• 0x423134 HeapFree
• 0x423138 GetVersionExA
• 0x42313c GetProcessHeap
• 0x423140 GetStartupInfoW
• 0x423144 GetCurrentProcess
• 0x423148 UnhandledExceptionFilter
• 0x42314c SetUnhandledExceptionFilter
• 0x423150 IsDebuggerPresent
• 0x423154 EnterCriticalSection
• 0x423158 LeaveCriticalSection
• 0x42315c RtlUnwind
• 0x423160 SetHandleCount
• 0x423164 GetStdHandle
• 0x423168 GetFileType
• 0x42316c GetStartupInfoA
• 0x423170 DeleteCriticalSection
• 0x423174 VirtualFree
• 0x423178 VirtualAlloc
• 0x42317c HeapReAlloc
• 0x423180 HeapDestroy
• 0x423184 HeapCreate
• 0x423188 GetConsoleCP
• 0x42318c GetConsoleMode
• 0x423190 TlsGetValue
• 0x423194 TlsAlloc
• 0x423198 TlsSetValue
• 0x42319c TlsFree
Library USER32.dll:
• 0x4231b0 LoadStringW
• 0x4231b4 LoadAcceleratorsW
• 0x4231b8 GetMessageW
• 0x4231bc TranslateAcceleratorW
• 0x4231c0 TranslateMessage
• 0x4231c4 DispatchMessageW
• 0x4231c8 LoadIconW
• 0x4231cc LoadCursorW
• 0x4231d0 RegisterClassExW
• 0x4231d4 CreateWindowExW
• 0x4231d8 DialogBoxParamW
• 0x4231dc DestroyWindow
• 0x4231e0 DefWindowProcW
• 0x4231e4 BeginPaint
• 0x4231e8 wsprintfW
• 0x4231ec EndDialog
• 0x4231f0 PostQuitMessage
• 0x4231f4 EndPaint
Library ADVAPI32.dll:
• 0x423000 RegQueryValueExW
• 0x423004 RegCloseKey
• 0x423008 RegSetValueExW
• 0x42300c RegOpenKeyExW
Library WS2_32.dll:
• 0x4231fc htonl
• 0x423200 connect
• 0x423204 WSAGetLastError
• 0x423208 recv
• 0x42320c send
• 0x423210 WSAStartup
• 0x423214 closesocket
• 0x423218 gethostbyaddr
• 0x42321c socket
• 0x423220 gethostbyname
• 0x423224 inet_addr
• 0x423228 htons
Library iphlpapi.dll:
• 0x423230 GetAdaptersInfo
L!This program cannot be run in DOS mode.
`.rdata
@ashdhas
.adata
]UQMME
@@fufL$
BBFFfu^
AABBfuD$
SV3;Wt
_8VVVVV?
AAKu;t
AAGGf;t
3_^[UWVu
DDDDDDDDDDDDDD
SVW3;t
^0WWWWW;
BBFFf;t
@@fu3_[
VVVVV:
;t3f97
uf93u
jEPhDB
_VVVVV8.:
VVVVVH9
3;u ;9
utAuU k(
E3B;r9]u
u] k(+
VVVVV+7
VW395B
8_^[]UW
)}}v;]rI}
E+)E(V
3PPPPP
;t$39u
WWWWW2
Y}V.YEE
3b339u
0VVVVV 1
@@fu+D$
tAt2t$
vP;Qt}
XP;Qt}
9P;Qt}
xP;Qt}
ZP;Qt~
lP;Qt}
NP;Qt~
/fPf;Q
iP;Qt}
KP;Qt}
,P;Qt}
mU S39]
;t$;u
tU;|BMx
YYt"Mx
39]f\~
HH_^[UV39u
VVVVVv
GGBBft
7GGEPj
RPjjEUhe
Yu'fAr
E;ErCE9Eu
3;Er/w
Quuuzd
u>9ur9w
`p33_^[U39
S3;VWt
^0SSSSS
3_^[U S39]
t4;|"Mx
HH_^[US39]
SSSSS;
CCGGf
t8f;t1
MQCPCxn
Map_^[V3958B
GGBBf;
S3;VWt
^0SSSSS
UQSV3;u
^SSSSS0
^SSSSS0
AA@39]
IGG;r3_^[
3;v.jX3;E
WWWWW}
0^_W|$
[^_UVu
^0WWWWW
X_^]UWVu
r*$tL@
DDDDDDDDDDDDDD
]|ux}tf
f]pfElfehfmd
Iuu}]U
+EPRQL
SUVt$ 3W=xB
FFf> t
at7rt+wt UUUUU
FFf> tj
FFf> tf9.
t$,D$,St$,P
Y]3u;5@B
4VYY B
+SVWDB
1E3PeuEEEEd
Y__^[]Q
S\$ UVs
8:D$(@
L$ St^Dm
L$(9csmu*=
URPQQhx]@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
}VVVVV
W>+~,WPVYPJ&
Y}3u;5@B
tVPV%YY3BU B
YjTh0B
Ej(j ^VY
3FRj(j sY
eEVW3PB
F$|3@_^
_^UQQM
MOI;|9 M
3@_^[U
SI VW}
HD9#U#
MLD3#u
]#\D\D
_^[UQQVE3PuuG
VVVVVr
VVVVVW
NVVVVV
6YYuTVWh@
FYhx2B
VVVVVY
3PPPPP
@<Yv8Vt;
3VVVVV
;t%t j
]_^[Yj
Yu =@B
3@3Vt$
WWWWW
jX;EUu
r'8WWWWW
P7YME;E
j3[_^j
WWWWWG
]u,9 ;t
;u't0ZVVVVV
30VVVVV
FE3PPj
MQPuFEu
M3+ME;(
@@FF}f
++PPVh
GE+E;(
EEuV}39ut j
WWWWW(
yYP5LB
YYt:V5HB
PwYF,t
PiYF4t
P[YF<t
PMYFDt
P?YFHt
P1YF\=B
\YWh8B
<3_V5\0B
YYt4V5HB
PCC>Yu
j?rY|$
3PPPPPc
ItEht7lt
FFE9}|
Et-EEPEE
fEEEuM
jitUnt
CECEEPu
u]PuEVP5PB
EPV5\B
YYYf}gu
EPV5XB
YYY>-u
FuVrUE
90t9MM
WSj0Es
uN~J}uM
MVE5Y}
Wt1t'P
QSUVW5B
;YYr|+
;r;Pt$
3_^][YVj
ANu_^][U$d
whu;5B
8]tEMap<u
E`p[U DB
Zf1Af0A@@Ju
@;vFF~
M_^3[Iuj
P Y^hS=,1B
(Y%u xB
3SUVt$
3;Wto=0B
;t^9(uZ
;tD9(u@
Y_^][SUVt$
P_^][Vt$
SUW= 1B
t7t3V0;t(W8Yt
VxY^3j
Fpt"~l
f;rpf=Z
f;r\f=
Pf;rJf=*
f;r6f=J
f;r"f=
uuU9uu-VVVV
P#Yt6u
3MEEEE
ItFht8lt
HHtAHHt
GEGEEPu
u}PuESP5PB
EPS5\B
]YYY}gu
EPS5XB
>YYY;-u
C]StuM!s
RPSW309]~
0@3If8
@@u+E u
]+]+]E
EtQ~Mu
PEFPF6
WSj E~
3PPPPP
Wu6SSj
Pql;Yt
]9]tSSWuu
txVSuuu
t0WWWWW/
ESYuEYe_^[M3`U
u$Mu u
MapQL$
QPREP
Map[UQQV
EYF`[_^
BVmGf>=Yt/j
tLVWPb
UUUUU|
4~f9.u5
3Y[_^]5B
UQV39U
@@ft;uf t
@@HHf9
@@Bf8\tf8"u7
ft$9Uu
_^UQQSVWh
h]?YYsJM
V]&EHYB
_^[QlB
UVW33;u.
@@f98u@@f98u+@@U"
t#SSjVj
++QVjWj
t.WjV|
_^][YS^Y
S3;V50B
Y3_]^[VW B
;r_^VW(B
E3E3;u
3SEEESX5
PZ+t Q3
3VW3t$
_^VW3j
u_^VW3t$
YYu-9D$
_};=@B
YU,SV3E
t>Ht2Ht&
^SSSSS0b
+t5+t(+t
>t3;t/=
$ MeHM
ERP6/,
;tSS6$
CSSS6[
E+PD=P6
_8VVVVV
9ut(9ut
Y;uSEP
t!h,;B
(;r3_^[j
RsYt=E
+PRYYt+@$
USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3;VW|[;
t58t0=@B
V3;|";
E}uyG&j(j aYYEta
`YVW38B
Y+t"+t
+td+uDX}
3PPPPP
PGEY3}
u@OdMGd
u wdSUY
U SVW.39
u,hT;B
WP";YB
u;tm95B
tePVY;t%MQj
u3EP[Yt
SSSSSO
;t(PY;
Y_^[USVu
3_^[];t
^0SSSSS
^^VVVVV
WVE;Yu
EU_^j
WWWWW|
;VVVVV
EV395`B
tVURPEPQ
MqiE9X
eMapYt
E`p:39]
V6Yt.V*Yt"V
l39]~4N
7C;]|fE
YYM_^3[;
WWWWW{
Y}SwYE;t
8csmu*x
Wu8SS3GWh:B
E 5<0B
39]$SSu
;~Ej3X
PWB;Yt
3;tAuVWuu
EVgYu}gEYY
PAA;Yt
3;tuSW6
#uW[fY
u]YE;t
e_^[M3<6U
M`u(Mu$u u
MapUQQDB
SV3;Wu:EP3FVh:B
39] SSu
Pa?;Yt
ESdEYu39]
e_^[M3A4U
M^u$Mu u
MapVt$
+[6$[v
[v0Zv4Zv
Zv8Zv<Z@v@ZvDZvHZvLZvPZvTZvXZv\Zv`ZvdZvhZvlyZvpqZvtiZvxaZv|YZ@
Y,^Vt$
VYY^Vt$
P6YYF ;
P$YYv$;5TB
YY^UV3PPPPPPPPU
$s ^UV3PPPPPPPPU
$sF ^U
33C;u3EPSh:B
;u9} }u
6~;w6F
PM:;Yt
3;tb9} u
S^Yu^EYe_^[M3.U
MYu Eu
^SSSSS0Io
Map_^[;t.;w(=oj"^SSSSS0n
8]tE`pu
0E`p$M
cWSVw-
0;u,PnWWWWW
u,9uv'lE
E`p3[_^U39
YM3*U4DB
ut:YF;~[
w/D;t8
-WWuuj
t`][9}
WWWWVuWu
;YYEt+WWVPVuWu
uXYEe_^[M3(QL$
zY}SzYE;
YE;t'CH;r
PSu)SzESPz
9}uH;u
E;t CH;r
PSuG)Suuz
bh9}th
`eVVVVV
]|ux}tf
f]pfElfehfmd
YY3PPj
P^UQVu
u,d ;t
_[^3@|$
EPQEPEj
RQMQVp
YYUWVSM
B:t6t:t't
B^_[%\1B
ME]UQj
U UEPM
REPMQZ
8MSMPt
EMAtURE
MAxErpUz|
EMAtURE
PMQxR:
PM]UQE
t*MQ@;U
s EH<MUR9
EEMH<UE
REH<Q?
s*MQ<E
UB<EMy
PMQUB M
EUEEEU
EEU]UQE
EMEM+M
U;Us.E
UMUE+E
E;B(rM
E;EvbM+M
EB43]UE
EXL;Mv
MM;Us!M+
Et*TE,M
EEM,MEL
LUX+ETT;Lv
;Ts9``M
\M\hE(
tzEMLLEDM+LU
`;Ts!\D
dE#dM;Dt*U
B,EM+MMU
t,MQURE
t&UREPMQo
J4;H,u
B4+EEM
t,EPMQU
t&UREPMQ
MU+UUE+E=
E(H(QU(B
MQURE$PM
EURE(H(QU(B$
MQURE$PM
QU Rh`oB
EURE(H(QU(B$
MQU(B(PM(Q$
uMQURE
Px(E}u
H<J0]UTE
M@u UEB
EMEM+M
E@u MUQ
EMEM+M
E;B,uEM
A0;B(t7M
H,+MMUU
M;H,uEU
J0;H(t7U
B,+EEMM
M;H,uEU
J0;H(t7U
B,+EEMM
Q,+UUEE
U;Q,uEE
P0;Q(t7E
H,+MMUU
Q,+UUEE
A0;B4tYM
B,+EEMMU
MUMUE+EEM
REPMQUREP
QUREPMQUR
U;Q,uEE
P0;Q(t7E
H,+MMUU}
B,+EEMMU
E;B,uEM
A0;B(t7M
Q,+UUEE}
EEM;Mv
UUEPMQUR
EEM+MMU
UUE+EEM
s:UMUE+EEM
UXEMEM+MMU
UMUE+E
Q$REPMQUREPM
PMQUREPMQ"
B,+EEMMU
Q,+UUEEM
A0;B4tYM
UB$Ex$
UB(Ex(
u3MQ$RE
E]UpVWE
EU+UU}
tvE;E(s
EPM$Qu
EMQ|U}
MUAP;BTt
E]U@VE
UBX;Es
PhRMQ`R
EMA<UBX+EMAXUE
QltEEH
UE;Es"M
UB|EMU;Q
EH\+MUJ\EH
EH|+MUJ|Ex|
PMQPR{
MAPUB\+E
UREPMQPR
MAPUB\+E
MA\U+U
lUBHMQLD
UxRE(PM
EMUB$A
UxRE(PM
E]UE$PM QU
Q$]UQ}
3]UQMEx
R EPMQR
fEfMQfUR'
MQUREPMQ
EMHDUEBHMAL
UEMQ<PTE@P
MUB4AdMU
MUB@AXMUBDA\MQ0
EPlMQ0
EP|MApxV4
UBtgE#E@xxV4M
UEB|3]U
]Ujh B
t6PQhuB
EPMQUREP
6EPMQj
M;M~rj
;E|!MQU
EM3.]U E
tRh|}B
8uRh}B
uUhD~B
EMQUREPM
+EEMMU;U
EPMQURE
|"MQURE
+UREPM
MQREPM
E3E#E3E
M3M#M3M
U3U#U3U
E3E#E3E
M3M#M3M
U3U#U3U
E3E#E3E
M3M#M3M
U3U#U3U
E3E#E3E
M3M#M3M
U3U#U3U
E3E#E3E
M3M#M3M
U3U#U3U
E3E#E3E
UEMP43Q E3P
M3M#M3MU
EMUA83B$M3A
U3U#U3UE
MUEJ<3H(U3J
E3E#E3EM
3Q,E3P
M3M#M3MU
3B0M3A
U3U3UE
3H4U3J
E3E3EM
3Q8E3P M3Q
M3M3MU
3B<M3A$U3B
U3U3UE
U3J(E3H UJ E3E3EM
E3P,M3Q$
EP$M3M3MU
M3A0U3B(MA(U3U3UE
MUEJ 3H
U3J4E3H,UJ,E3E3EM
UEMP$3Q
E3P8M3Q0
EP0M3M3MU
EMUA(3B
M3A<U3B4MA4U3U3UE
MUEJ,3H
E3H8UJ8E3E3EM
UEMP03Q
EP<M3M3MU
EMUA43B M3A
U3U3UE
MUEJ83H$U3J
E3E3EM
UEMP<3Q(E3P
M3M3MU
3B,M3A
U3U3UE
3H0U3J
E3E3EM
3Q4E3P
M3M3MU
3B8M3A U3B
U3U3UE
3H<U3J$E3H
E3E3EM
E3P(M3Q
EP M3M#MU#U
U3J,E3H$UJ$E3E#EM#M
M3A0U3B(MA(U3U#UE#E
UEMP 3Q
E3P4M3Q,
EP,M3M#MU#U
MUEJ$3H
U3J8E3H0UJ0E3E#EM#M
EMUA(3B
M3A<U3B4MA4U3U#UE#E
UEMP,3Q
EP8M3M#MU#U
MUEJ03H
E3H<UJ<E3E#EM#M
EMUA43B M3A
U3U#UE#E
UEMP83Q$E3P
M3M#MU#U
MUEJ<3H(U3J
E3E#EM#M
3B,M3A
U3U#UE#E
3Q0E3P
M3M#MU#U
3H4U3J
E3E#EM#M
3B8M3A U3B
U3U#UE#E
3Q<E3P$M3Q
M3M#MU#U
U3J(E3H UJ E3E#EM#M
M3A,U3B$MA$U3U#UE#E
E3P0M3Q(
EP(M3M#MU#U
MUEJ 3H
U3J4E3H,UJ,E3E#EM#M
EMUA$3B
M3A8U3B0MA0U3U3UE
MUEJ(3H
U3J<E3H4UJ4E3E3EM
UEMP,3Q
EP8M3M3MU
EMUA03B
U3B<MA<U3U3UE
MUEJ43H U3J
E3E3EM
UEMP83Q$E3P
M3M3MU
EMUA<3B(M3A
U3U3UE
3H,U3J
E3E3EM
3Q0E3P
M3M3MU
3B4M3A
U3U3UE
3H8U3J E3H
E3E3EM
3Q<E3P$M3Q
M3M3MU
M3A(U3B MA U3U3UE
U3J,E3H$UJ$E3E3EM
E3P0M3Q(
EP(M3M3MU
EMUA 3B
M3A4U3B,MA,U3U3UE
MUEJ$3H
U3J8E3H0UJ0E3E3EM
UEMP(3Q
E3P<M3Q4
EP4M3M3MU
EMUA,3B
U3B8MA8U3U3UE
MUEJ03H
E3H<UJ<E3E3EM
}7v%}<s
MQUREM
v(EPMQR$
M3(t]U4jd
UREPMQj
8;Uv4Ei
UUUUfUE
M3q]UDDB
EE_^M3p]U$E
3EEEEE
EUUUEEMQURE
PQRPhPB
M3qm]U
EEMMUR
UEfMf}
EM3k]U
3EEEfEEM
M33k]U,DB
EEEEEfEM
M3xj]U
EUUEPj
UREPMQj
#yEE5B
tYU+UUE;E
MUREPMU
MUUEEM
EM;M}yj
DE|aUE
M37f]U4E
E]UHDB
EEEEfEE
MQURmdou
EUREP@dE
EEEEEEEE
3EEEEEEE
u!`Pj!M
M3k`]U
5pEUEM
EEEEfEjhj
Rj hPnd
``hs!d
EM3^]U
MQURkk
MQUR4m
MMMMMfMU
EM3\]U}
M3[]UQE
MUU}ht
3M3NZ]
Mj.URV
M36V]U DB
3EEEfEEf
M3$U]U|
3*.26:>BfFf
JNRVZ^bff
ff0$Pj
nQpR!P
flfhXB
hMSMPf
hM3J]Uj
MMMMMMfMh
M3iH]U
M3E]U E
EUE;Eu
MQUREPM
t)UREPM
EEEEEEfEhB
ubREPQj
3M3.A]U0
t,EPMQUR
M3>]U4
RPQfURPk
QRPMQR
REPQfUREP
QREPMQUR
EM39]U
EUREPMQU
rpUREPj
M3;7]U<
3sPjMQZ
WVS3D$
$UQQSVWd5
SVWE3PPPuu
E_^[E]Vt$
^U8S}
E[UQSE
k 3@[UQSVW}
u@3Vt$
Fu8M^t
3@3UQQ}
MY3;u+,pj
_VVVVV8o
SSSSSm
F80t.G
E`p3_^[U,DB
^VMQMQp
nSSSSS08n
M_^3[,Uj
]U$VWu
^WWWWW0Om
FVw]YY
E`p3[_^U
MNSu-^jj
^03PPPPPi
E`p3_^[U,DB
^VMQMQp
QiSSSSS0h
M_^3['U0DB
_WMQMQp
hSSSSS8-h
EHE3}-
M_^3[&UE
et_EtZfu
VVVVVe
]EuMm]]
QRWYYt
=csmu+v
8csmu8x
t*9csmu"A
EPvYYE
>csmuB~
tH,YY
u8YYtaSVYYtTw
eYYPVW
9YYt)SVYYt
Ht Hu4j
SlEf3@
VP]UQQVu
t+>MOCt#u$u u
EPEPVu WE
;Es[S;7|G;w
@u"u$u
;Er[_^U,M
s9>u&~
Yu\39 ~
EPEPuu W[
(u$]u E
u$u uSu
_^[Vt$
tR99u2y
u$Vu u
Q 3@_^[]U
miVW_^]M
CEP3SSSSWEPEP;
E`p3M_^3[
M`BEP3SSSSWEPEP
E`p3M_^3[<
^0SSSSSW
W&@PWVN
3_^[]UQU
3PPPPP4U
WVU33D$
%#Vt1W}
_VVVVV8T
YY3^]Pd5
SVW(DB
3PeuEEd
WMEu'339\u
JB|j 3Y+@M
JBj Y+3B\M
3+BL1<
}3^j Y+
WMEu'339\u
JB|j 3Y+@M
JBj Y+3B\M
3+BL1<
}3^j Y+
_[U|DB
S3V3EE
F39]$WE}]u]]]]]]]u
JSSSSS
<+t(<-t$:t<C
]<+t<-t`}
+t HHt
B:t,1<
+JMtHHt
B:}OMEO?
tEPuEP
3f;u!GC
]FFEM}
u3}u*e
]EEEEEEEEEEEE?E
u}u.u*u&f!;f;
;u0u,h(B
VVVVV@
`;fUu}fEM
3##EEEE
f;u$U@B
u-U}ue
EU}um
u3}u*e
fUfUUUU
3f;~<E
u.U]ue
EU]um
H]Uu39Et
u1}u(}Eu
M36fEfEEEE
fE[E}Me
~(E}Mm
0K;]s;]Es
EM_^3[
SUVW|$
t$(L$$##
\$(D$(3
M_^3[j
bad allocation
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
FileUpdate: %s/%d
RecvFileInfo failed from %s/%d
SendMessageToServer: Server = %s/%d, code = %d
ct_init: 256+dist != 512
ct_init: length != 256
ct_init: dist != 256
bit length overflow
code %d bits %d->%d
inconsistent bit counts
gen_codes: max_code %d
dyn trees: dyn %ld, stat %ld
not enough codes
too many codes
bl counts:
bl code %2d
bl tree: sent %ld
lit tree: sent %ld
dist tree: sent %ld
lit data: dyn %ld, stat %ld
dist data: dyn %ld, stat %ld
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
bad compressed size
ct_tally: bad match
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
bad d_code
invalid length
output buffer too small for in-memory compression
bad pack level
Code too clever
insufficient lookahead
no future
wild scan
more < 2
Call UPDATE_HASH() MIN_MATCH-3 more times
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
unknown zip result code
Success
Culdn't duplicate handle
Couldn't create/open file
Failed to allocate memory
Error writing to file
File not found in the zipfile
Still more data to unzip
Zipfile is corrupt or not a zipfile
Error reading file
Caller: faulty arguments
Caller: the file had already been partially unzipped
Caller: can only get memory of a memory zipfile
Caller: not enough space allocated for memory zipfile
Caller: there was a previous error
Caller: additions to the zip have already been ended
Caller: mixing creation and opening of zip
Zip-bug: internal initialisation not completed
Zip-bug: trying to seek the unseekable
Zip-bug: the anticipated size turned out wrong
Zip-bug: tried to change mind, but not allowed
Zip-bug: an internal error during flation
need dictionary
stream end
file error
stream error
data error
insufficient memory
buffer error
incompatible version
invalid literal/length code
invalid block type
invalid distance code
invalid stored block lengths
too many length or distance symbols
invalid bit length repeat
inflate 1.1.3 Copyright 1995-1998 Mark Adler
incomplete dynamic bit lengths tree
oversubscribed literal/length tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed distance tree
incomplete distance tree
empty distance tree with lengths
invalid distance code
invalid literal/length code
unknown compression method
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
-1.1.3
invalid window size
incorrect header check
need dictionary
incorrect data check
unzip 0.15 Copyright 1998 Gilles Vollant
pt0l0
<Embed File Info>
\\.\PHYSICALDRIVE0
FreeLibrary
Kernel32.dll
LoadLibraryW
Kernel32.dll
%d.%d.%d.%d
C:\VFDD.BIN
1.234.83.146
1.234.83.146
133.242.129.155
_uninsep.bat
GAIsProcessorFeaturePresent
KERNEL32
bad exception
1#QNAN
1#SNAN
c:\work\Update_2005_rep\bin\release\MkRegister.pdb
GetModuleFileNameW
ExitProcess
GetTickCount
GetFileAttributesW
OpenEventW
CloseHandle
CreateEventW
CreateThread
GetTempPathW
GetSystemDirectoryW
DeleteFileW
GetModuleHandleW
FindResourceW
SizeofResource
LoadResource
LockResource
FreeResource
MultiByteToWideChar
GetVersionExW
CreateFileW
GetFileSizeEx
GetLastError
GetCurrentProcessId
TerminateProcess
GetModuleHandleA
GetProcAddress
GetTempPathA
GetModuleFileNameA
CreateFileA
WriteFile
ReadFile
SetFilePointer
FlushFileBuffers
DeviceIoControl
SystemTimeToFileTime
GetCurrentDirectoryW
LocalFileTimeToFileTime
WideCharToMultiByte
CreateDirectoryW
SetFileTime
SetFileAttributesW
KERNEL32.dll
LoadStringW
LoadAcceleratorsW
GetMessageW
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DialogBoxParamW
DestroyWindow
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
EndDialog
wsprintfW
USER32.dll
RegOpenKeyExW
RegSetValueExW
RegCloseKey
RegQueryValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersInfo
iphlpapi.dll
HeapAlloc
HeapFree
GetVersionExA
GetProcessHeap
GetStartupInfoW
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
VirtualFree
VirtualAlloc
HeapReAlloc
HeapDestroy
HeapCreate
GetConsoleCP
GetConsoleMode
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
RaiseException
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeCriticalSection
SetStdHandle
LoadLibraryA
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
HeapSize
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetEndOfFile
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
blh|2,NQ*mm
sQOtN2V
aInvalid partition table
Error loading operating system
Missing operating system
_MYDEBUG:
218.54.31.226
:Repeat
del "%s"
if exist "%s" goto Repeat
rmdir "%s"
del "%s"
.?AVbad_exception@std@@
I x@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
^+AZw8
EmptyProject_u.exe
`})c?_v:ya
C?qz!>
- t'BD
:&x>YH:
L+[k'<
lWH"!az7o
8U,!AOP
-#px_[y[rA
Bz\wqD
G0S05{[
5;Ihwi)&llT
VGIK>3J
FIUutgsK
xc8)n/Z
p xwO 0
daxa<Xhd
:+p<"AY
n<^B ;&14
)'DBlyjC
;e@LPsIi4
CsK}b`hO
$;|U*jT>
*-/lp||,
hDuN6sl&+:2HcAoM%
K>U*d;5
0(~Le+;
:AHtoX
b& L%b2
SwH4togVls)R*N'
,Yyyz_u|=6UnUf<t`
\hJrHR
=5h9FZ
qM;w;8lz
v+ }se'
W_G{oz {
XR9.;*d{{IV_c
|>D-CT;HAP[
`z<M:&#
KJJ1me
m$|:*H0
?:8GK:
.N>lZ4};=H.
kDA3z .A
L&8&x/*D:=0 x#m
^f e[z
=9+Id=o
}ys/ 8
,_;)s:nq
G1%(J-'?rab*
?#=G*:4?.
L7`pQG?9g Sw
!0L{RAL
CtUT+^}ZkXKlXB**d_
O+;$Q0
.}InZO3T
&&S)O`."oW=naK&Q>3
57;12y
~L> gOz6
+TY\K\^
V5]h"(
RWe[(of_x|r7
2koe/;
oPa3$TmR
vl^W>o
?Y;)n6h7v
OQ({UG
~94<9!*
5>Gk5R
#v}7EY
*:|C'z 5o
X5 ^'MdB
nAh:g\ Or
\:N V5u
d,f0lC
~|"7Um\3Ha
1|2p1 \A
8YnKDbg
zutti\
c4)~h(#EFFM
tCUdqXL>Fn@noJ
%XTO5l&.h=2ly9
p({ml+
i}'[[[
k:ZS%tz?
`N[>*|Ci
5`pArT>
5v!<;=G|
PI3Fw?b
BMY72bvqWp
rd_SeBkV-
kq]nry Ojm
Of,9)9C
3RGnS@
OMmO1x
GY!NlL
>+t]ahx9K
nP:cYmzg
%IU+Z+
L9DT/Zs!
2r\TZ#G
,=0ae,+
C{#c' o$M3+_
nzQVG\E
79N E/~~@
+vr(1L7R<"
:H@0Th\4Bg
:A;OhzB
x75Q<S
!|@s-f}*
N 5{AM
-\B'B:%*WG}3
hXNk2$}y
j,tQ\'e
S3=W*Yr$eE
+t2aIJ?'
/FI"""}G+
g|x]7f~E@/t
hts{q5}FEP> @H
8({JY_da#lPZ\vw
Gv+5[=x
t%A#c%,dEPk
:/Q-hYc
H<MMN4)
5,+bR@,GRH
G:#bkt
!uxM^)uat)~
Y#d; _j
M:3U8|zQk
9|Yfn%
v{hP!O
]gCmT`
6|5Z1n<]
MY|'f1re.G
^ -Y[hYz
1qoCMg{O
-5jBEq
6l8Px# :EJFe/[#
{lLx<e
fzrD[Z}T8h
J- C6$SOk
{QM#xw
~5#O 1;!s.
BtHH?}
A%mZtZ
v4l19gOIcFs5
5,=z8s|
*Lfc]z#
`|ho +
\Sfp?}1x7:
uH0u-WH
o:E\E'&
;n,*3,
i5V}q3D
5-(|2\1/3"x1_
_G'\8K
m{keS-eR:1^xZE}L
KYdL!-
C%F^C!
y~(r RD(Z
^$tnp{I*
b^~X nR5QX-
<eU@S:
_+iAHP
;F&Sj4
'XbrWCD
?m%rM(7o#
qmYow6My2kP
rC\:X4j +
Q89}lW~
U&r\<P[7^P.ly
L>C=[(
`S,~f#<j@
xpmrIu
&EaA:&{9y'un^n
"Q;cpo
e;(Zn6
Q[vW}@
~sea;B
{yXPS,(
]s 1sfPs
3\0Xi}
:hbb^:
;HH:#@$P
I}$ 0F
ZE`jB=*
^H k}Pmg
hv5:Z>
6!bO.j
;+"E*L
!PCHI!iCL#
O_}.Ub~m
Rj~KP#
x~](a03
l~Csz[k4
Dc|Z54
ZLP]}uP9#
N+L/A9/lS
Jhgl9A
7=X/fTi
m ly.5=
"luC\B
SE7vY1
6>P#n,Tz
1RuKOG8
96_PP9
_hZ ax
C}6HJHV
`(3Ps/
4y;;""6B
-S6!rF(
kG@(aCn
%kP&%Z_#>V
jx^:CN
@Vj\VE9** K{n
KC)8Ofq-#/
a oer;
Fq/)C]kZgfH
`B4tKZdly
1+\/h\d{VWq0 )j
\pwD1o
v/r38bD=)
$;jquE_;"8]w}?7
Aki_g`
ortYUY{
WcXCVB:
YX@\6Yw
.%^}Q^
peZmKZY
`Xf/uWVZO*
@0qj#OXD
{jE@@CK.
\(r?\e<Jiu>/m
E(?^xtep
mR^3;S
f;p{M~!Cd
j7(9vl*W!,
5D.F3:v!'?D5
!1S8F1l>U-<p<
am8(6)P
']4o#gs
xHK5tJi
8.j4=s
=s6\r-["J'n8e
LH/="y
Nj8H-A/
n{N(HO=
,t"C=VRpS4q
{zOK~"
mD:[]-V2k 6
?y,`_tC71r
_->#%<F
uw]i"eT
^nm{r^@0,I&FW%r
AEXs*QqR
7^upo't
_cWCsL
9k)\Zn
TF!jmX^5O*B
NDhv4\kRK}CIOqYvsdEY
SJAWn+
I"-#HE~Uq@
xH8GFZ ?i0
.@}!4DP
p:T2jRM
~qHsr(
b[Tv42GxaVj8l0
GVVUhz\wrQzj
IZq4#Y
ac2!<>Mo
}3m9WG
5|j$?k
{Hx@M@i
;V^oq7yc+}T
CKQ8^|*@eWm|L({ {K9_l:
6hX*uVQLx
Ztrs3=;
3N3M$fB
,6:ZfPK
^+AZw8
EmptyProject_u.exePK
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX`
uEzVirtualAlloc
VirtualFree
VirtualProtect
t.x,<t
wTVUjwTV
u6AQVj
PUjYG$UjYP
kernel32.dll
ExitProcess
user32.dll
MessageBoxA
wsprintfA
LOADER ERROR
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
(08@P`p
8\(L(C@;
rDt$h3t$
E@D4l|Mu
1|hDhG8
A;r_^]
YSVW33h
T4$F`u(j
}RL4#HL4$F
D$$W3|$
D$,8_^]
kernel32.dll
GetProcAddress
GetModuleHandleA
LoadLibraryA
user32.dll
advapi32.dll
shell32.dll
ws2_32.dll
iphlpapi.dll
LoadStringW
RegQueryValueExW
ShellExecuteW
GetAdaptersInfo
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
j�j�j�j�j�j�
j�j�j�j�j�j�
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
R�e�a�d� �d�w�P�m�s�S�t�o�r�e�M�a�r�k� �
W�r�i�t�e� �d�w�P�m�s�S�t�o�r�e�M�a�r�k� �
g�b�p�.�i�n�i�
F�i�l�e�U�p�d�a�t�e�:� �f�i�l�e�N�a�m�e� �=� �%�s�
%�s�%�s�%�s�
u�n�k�n�o�w�n� �z�i�p� �r�e�s�u�l�t� �c�o�d�e�
S�u�c�c�e�s�s�
C�u�l�d�n�'�t� �d�u�p�l�i�c�a�t�e� �h�a�n�d�l�e�
C�o�u�l�d�n�'�t� �c�r�e�a�t�e�/�o�p�e�n� �f�i�l�e�
F�a�i�l�e�d� �t�o� �a�l�l�o�c�a�t�e� �m�e�m�o�r�y�
E�r�r�o�r� �w�r�i�t�i�n�g� �t�o� �f�i�l�e�
F�i�l�e� �n�o�t� �f�o�u�n�d� �i�n� �t�h�e� �z�i�p�f�i�l�e�
S�t�i�l�l� �m�o�r�e� �d�a�t�a� �t�o� �u�n�z�i�p�
Z�i�p�f�i�l�e� �i�s� �c�o�r�r�u�p�t� �o�r� �n�o�t� �a� �z�i�p�f�i�l�e�
E�r�r�o�r� �r�e�a�d�i�n�g� �f�i�l�e�
C�o�r�r�e�c�t� �p�a�s�s�w�o�r�d� �r�e�q�u�i�r�e�d�
C�a�l�l�e�r�:� �f�a�u�l�t�y� �a�r�g�u�m�e�n�t�s�
C�a�l�l�e�r�:� �t�h�e� �f�i�l�e� �h�a�d� �a�l�r�e�a�d�y� �b�e�e�n� �p�a�r�t�i�a�l�l�y� �u�n�z�i�p�p�e�d�
C�a�l�l�e�r�:� �c�a�n� �o�n�l�y� �g�e�t� �m�e�m�o�r�y� �o�f� �a� �m�e�m�o�r�y� �z�i�p�f�i�l�e�
C�a�l�l�e�r�:� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �a�l�l�o�c�a�t�e�d� �f�o�r� �m�e�m�o�r�y� �z�i�p�f�i�l�e�
C�a�l�l�e�r�:� �t�h�e�r�e� �w�a�s� �a� �p�r�e�v�i�o�u�s� �e�r�r�o�r�
C�a�l�l�e�r�:� �a�d�d�i�t�i�o�n�s� �t�o� �t�h�e� �z�i�p� �h�a�v�e� �a�l�r�e�a�d�y� �b�e�e�n� �e�n�d�e�d�
C�a�l�l�e�r�:� �m�i�x�i�n�g� �c�r�e�a�t�i�o�n� �a�n�d� �o�p�e�n�i�n�g� �o�f� �z�i�p�
Z�i�p�-�b�u�g�:� �i�n�t�e�r�n�a�l� �i�n�i�t�i�a�l�i�s�a�t�i�o�n� �n�o�t� �c�o�m�p�l�e�t�e�d�
Z�i�p�-�b�u�g�:� �t�r�y�i�n�g� �t�o� �s�e�e�k� �t�h�e� �u�n�s�e�e�k�a�b�l�e�
Z�i�p�-�b�u�g�:� �t�h�e� �a�n�t�i�c�i�p�a�t�e�d� �s�i�z�e� �t�u�r�n�e�d� �o�u�t� �w�r�o�n�g�
Z�i�p�-�b�u�g�:� �t�r�i�e�d� �t�o� �c�h�a�n�g�e� �m�i�n�d�,� �b�u�t� �n�o�t� �a�l�l�o�w�e�d�
Z�i�p�-�b�u�g�:� �a�n� �i�n�t�e�r�n�a�l� �e�r�r�o�r� �d�u�r�i�n�g� �f�l�a�t�i�o�n�
,� �s�i�z�e� �=� �%�d�
�=� �%�d�,� �
�=� �%�d�.�
�=� �%�d�,� �
S�e�n�d�F�i�l�e� �:� �
S�e�n�d�F�i�l�e� �:� �
S�e�n�d�F�i�l�e� �:� �
S�e�n�d�F�i�l�e� �:� �
S�e�n�d�F�i�l�e� �:� �
S�e�n�d�F�i�l�e� �:� �
I�D�R�_�B�I�N�A�R�Y�
I�D�R�_�B�I�N�A�R�Y�
I�D�R�_�B�I�N�A�R�Y�
L�a�s�t� �E�r�r�o�r� �N�u�m�b�e�r� �:� �%�d�,� �H�a�n�d�l�e� �:� �%�d�
R�e�a�d�I�m�a�g�e�C�o�d�e� �:� �
R�e�a�d�I�m�a�g�e�C�o�d�e� �:� �
D�e�v�i�c�e�I�o�C�o�n�t�r�o�l�:� �s�t�a�r�t� �=�%�d�,� �c�o�u�n�t� �=� �%�d�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
D�e�v�i�c�e�I�o�C�o�n�t�r�o�l� �
,� �e�r�r�o�r�c�o�d�e� �=� �%�d�
D�e�v�i�c�e�I�o�C�o�n�t�r�o�l� �
\� �M�B�R�!�
\� �M�B�R�!�
\�\�.�\�%�s�
N�o�.�%�d� �
:� �0�x�%�0�8�X�,� �
:� �%�d� �K�B�
C�r�e�a�t�e�F�i�l�e� �
S�e�t�P�r�i�v�i�l�e�g�e� �:� �O�p�e�n�P�r�o�c�e�s�s� �
S�e�t�P�r�i�v�i�l�e�g�e� �:� �O�p�e�n�P�r�o�c�e�s�s�T�o�k�e�n� �
S�e�t�P�r�i�v�i�l�e�g�e� �:� �L�o�o�k�u�p�P�r�i�v�i�l�e�g�e�V�a�l�u�e� �
S�e�t�P�r�i�v�i�l�e�g�e� �:� �A�d�j�u�s�t�T�o�k�e�n�P�r�i�v�i�l�e�g�e�s� �
S�e�t�P�r�i�v�i�l�e�g�e� �:� �A�d�j�u�s�t�T�o�k�e�n�P�r�i�v�i�l�e�g�e�s�(�2�)� �
S�e�D�e�b�u�g�P�r�i�v�i�l�e�g�e�
S�e�t�D�e�b�u�g�S�e�t�P�r�i�v�i�l�e�g�e� �:� �S�e�t�P�r�i�v�i�l�e�g�e� �1�
S�e�t�D�e�b�u�g�S�e�t�P�r�i�v�i�l�e�g�e� �:� �S�e�t�P�r�i�v�i�l�e�g�e� �(�
G�e�t�I�m�a�g�e�F�i�l�e�P�a�t�h�:� �(�%�d�)�
�,� �e�r�r� �=� �%�d�
\�s�y�s�t�e�m�r�o�o�t�\�
S�y�s�t�e�m�
K�i�l�l�P�r�o�c�e�s�s�s�:� �%�s� �
K�i�l�l�P�r�o�c�e�s�s�s�:� �
K�i�l�l�P�r�o�c�e�s�s�s�:� �%�s�(�%�d�)� �
K�i�l�l�P�r�o�c�e�s�s�s�:� �%�s�(�%�d�)� �
G�e�t�P�r�o�c�e�s�s�I�D�s�:� �%�s� �
%�s� �n�o�t� �f�o�u�n�d�
G�e�t�P�r�o�c�e�s�s�I�D�s�:� �E�n�u�m�P�r�o�c�e�s�s�e�s� �
,� �e�r�r� �=� �%�d�
G�e�t�E�n�a�b�l�e�P�r�o�c�e�s�s�I�D�:� �%�s� �
G�e�t�P�r�o�c�e�s�s�I�D�s�:� �E�n�u�m�P�r�o�c�e�s�s�e�s� �
,� �e�r�r� �=� �%�d�
K�e�r�n�e�l�3�2�.�d�l�l� �
A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �(�%�d�)� �
�e�r�r� �=� �%�d�.�
y�A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �(�%�d�)� �
�V�i�r�t�u�a�l�A�l�l�o�c�E�x� �
�e�r�r� �=� �%�d�.�
A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �(�%�d�)� �
�W�r�i�t�e�P�r�o�c�e�s�s�M�e�m�o�r�y� �
�e�r�r� �=� �%�d�.�
A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �K�e�r�n�e�l�3�2�.�d�l�l� �
�e�r�r� �=� �%�d�.�
A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �L�o�a�d�L�i�b�r�a�r�y�W�l� �
.� �e�r�r� �=� �%�d�.�
A�t�t�a�c�h�D�l�l�T�o�P�r�o�c�e�s�s�:� �C�r�e�a�t�e�R�e�m�o�t�e�T�h�r�e�a�d� �
�e�r�r� �=� �%�d�.�
E�j�e�c�t�D�l�l� �
A�y�U�p�%�X�.�t�m�p�
%�s�%�X�.�e�x�e�
E�x�e�P�a�t�h� �:� �%�s�
G�e�t�H�o�s�t�N�a�m�e� �:� �g�e�t�h�o�s�t�b�y�a�d�d�r�(�)�(�
%�d�.�%�d�.�%�d�.�%�d�
%�s�%�s�.�e�x�e�
T�e�m�p�7�%�X�.�e�x�e�
2�1�8�.�5�4�.�3�1�.�1�6�5�
2�1�8�.�5�4�.�3�1�.�2�2�6�
-�-�-�-�-�-�-�-� �I�s�S�e�l�f�P�a�t�h� �-�-�-�-�-�-�-�-� �
-�-�-�-�-� �D�e�l�P�r�e�v�V�e�r�s�i�o�n� �-�-�-�-�-�-�-�-�-�-�
d�e�l�e�t�e� �p�r�e�v�i�o�u�s� �v�e�r�s�i�o�n�
s�e�l�f� �u�p�d�a�t�e� �f�i�l�e�
2�1�8�.�5�4�.�3�1�.�2�2�6�
g�o�l�f�s�e�t�.�i�n�i�
2�1�8�.�5�4�.�3�1�.�1�6�5�
2�1�8�.�5�4�.�3�1�.�2�2�6�
2�1�8�.�5�4�.�3�1�.�2�2�6�
�:� �%�s�:�%�d�
g�o�l�f�i�n�f�o�.�i�n�i� � �
c�o�p�y�f�i�l�e� �%�s� �t�o� �%�s�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
i�g�f�x�e�t�r�
�-�-�-�-�-� �O�n�T�i�m�e�r�T�h�r�e�a�d�P�r�o�c� �-�-�-�-�-�
T�e�m�p�7�%�X�.�e�x�e�
c�:�\�g�d�i�s�k�.�e�x�e�
c�:�\�w�i�n�d�o�w�s�\�g�d�i�s�k�.�e�x�e�
c�:�\�w�i�n�d�o�w�s�\�s�y�s�t�e�m�3�2�\�g�d�i�s�k�.�e�x�e�
(�N�o�.� �%�d�)� �
G�e�t�A�g�e�n�t�I�n�f�o�,� �s�e�r�v�e�r� �%�s�
w�i�n�l�o�g� �i�s� �a�l�r�e�a�d�y� �e�x�e�c�u�t�e�d�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
w�i�n�l�o�g� �i�s� �a�l�r�e�a�d�y� �e�x�e�c�u�t�e�d�
\�g�b�p�.�i�n�i�
I�D�R�_�B�I�N�A�R�Y�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
@�@�@�@�@�@�@�@�@�@�
B�B�B�B�B�B�B�B�B�B�
U�n�K�m�o�w�n�O�S�
W�i�n�2�0�0�3�
W�i�n�V�i�s�t�a�
W�i�n�S�e�v�e�n�
_�M�Y�D�E�B�U�G�:�
I�D�R�_�B�I�N�A�R�Y�
i�E�&�x�i�t�
h�&�A�b�o�u�t� �.�.�.�
S�y�s�t�e�m�
S�t�a�t�i�c�
S�t�a�t�i�c�
S�t�a�t�i�c�
S�y�s�T�r�e�e�V�i�e�w�3�2�
S�y�s�T�r�e�e�V�i�e�w�3�2�
H�o�y�a�s�E�r�i�t�
K�o�l�l�a�S�a�n�t�r�e�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
Process Tree
-
04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe (2236)
"C:\Users\Administrator\AppData\Local\Temp\04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe"
-
tozaz.exe (2996)
"C:\Users\ADMINI~1\AppData\Local\Temp\tozaz.exe"
-
ujmuq.exe (1192)
"C:\Users\ADMINI~1\AppData\Local\Temp\ujmuq.exe"
- cmd.exe (1964) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\_uninsep.bat" "
-
ujmuq.exe (1192)
"C:\Users\ADMINI~1\AppData\Local\Temp\ujmuq.exe"
- cmd.exe (3052) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\_uninsep.bat" "
-
tozaz.exe (2996)
"C:\Users\ADMINI~1\AppData\Local\Temp\tozaz.exe"
04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe, PID: 2236, Parent PID: 1808
default registry file network process services synchronisation iexplore office pdf
tozaz.exe, PID: 2996, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
cmd.exe, PID: 3052, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | cd0993b2606f2748_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 2236 (04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe) |
| Type | Non-ISO extended-ASCII text, with very long lines (428), with NEL line terminators |
| MD5 | 5dfdea60ca2bd9a81d2b505be6bd63cd |
| SHA1 | b0dbdd3c7c4a2146b64495bbe291740579419561 |
| SHA256 | cd0993b2606f27480b377e27a021647728cc5cb3e4d614526c66f09ef7d315a3 |
| CRC32 | 6B751175 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 04ffae3a657750b5_04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe |
| Size | 290.0KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 1707c18ea95150d78ed2663f92be27dd |
| SHA1 | 7e920750aa18caafd81309d2e45c27457eed293a |
| SHA256 | 04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830 |
| CRC32 | BD86CE14 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9665430e5720a02a_tozaz.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tozaz.exe |
| Size | 290.1KB |
| Processes | 2236 (04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 6410e5ac2d7890059f72522879e750a5 |
| SHA1 | cb19f59b592abff820bbb5776f4d61fc11dde1ee |
| SHA256 | 9665430e5720a02a86e5c2db75edcdd55aebea6a992ee04b801b02b881ae1a5f |
| CRC32 | 9DCC9FDA |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 6bbac87e5462b794__uninsep.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\_uninsep.bat |
| Size | 235.0B |
| Processes | 1192 (ujmuq.exe) 1964 (cmd.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | 98c0bd79257cec8ad3e2b3eee70fe80b |
| SHA1 | 1a28a1db2d8083cd8ee66bb90953927ac2bf6469 |
| SHA256 | 6bbac87e5462b79431a03db00d940e525c2efaa086d0daba1cb338561df160c8 |
| CRC32 | 85A4F7BC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 30f820bb1ca6c20b_gbp.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\gbp.ini |
| Size | 104.0B |
| Processes | 2996 (tozaz.exe) |
| Type | ISO-8859 text, with no line terminators |
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| CRC32 | EFF697CE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | df7110ce9477a21f__uninsep.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\_uninsep.bat |
| Size | 368.0B |
| Processes | 2236 (04ffae3a657750b527cefec03ac8a2df34498ab99857f27c5fac93c5bf95d830.exe) 3052 (cmd.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | ba721cd04ff7933906ad018d0aa159fa |
| SHA1 | 785b214cfb26326198203888e4bb593ac4bd7739 |
| SHA256 | df7110ce9477a21fcc3822f70ee9f8ac6ba0e327a861084e6cce1fe563002598 |
| CRC32 | D02585BE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9592b91506f0827c_ujmuq.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\ujmuq.exe |
| Size | 35.5KB |
| Processes | 2996 (tozaz.exe) 1964 (cmd.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | be04ee6a60ab596503ecdcd5da34ae5a |
| SHA1 | 0cf0aba34f04a85539d0b904a5f128b0df27c964 |
| SHA256 | 9592b91506f0827c97a651be91eba5e1d20e638adb77b21132a14821b85c7ed0 |
| CRC32 | F45AC4FE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.