2.6
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.81
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545282.25025 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545284.859 IsDebuggerPresent |
failed | 0 | 0 |
观察到命令行控制台输出
(11 个事件)
动态指标
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| file | C:\Users\Administrator\AppData\Local\Temp\opert.exe |
投放一个二进制文件并执行它
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\opert.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\opert.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(4 个事件)
| host | 114.114.114.114 | |||
| host | 121.88.5.183 | |||
| host | 121.88.5.184 | |||
| host | 218.54.28.139 | |||
从磁盘删除已执行的文件
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(3 个事件)
| dead_host | 121.88.5.183:11120 |
| dead_host | 121.88.5.184:11170 |
| dead_host | 218.54.28.139:11120 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2014-01-15 20:58:00
PE Imphash
6b4c9b1e25397fd23045edf6399815a1
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0002a000 | 0x00028e00 | 4.390655328218432 |
| .rsrc | 0x0002b000 | 0x0000d000 | 0x0000c800 | 4.564184099101417 |
| .reloc | 0x00038000 | 0x00001000 | 0x00000200 | 0.2162069074398449 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_ICON | 0x000366c8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_STRING | 0x00036b30 | 0x00000044 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00036bf0 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_GROUP_ICON | 0x00036bf0 | 0x00000076 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
| RT_MANIFEST | 0x00036c68 | 0x0000015a | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x41301c CreateEventW
• 0x413020 CreateThread
• 0x413024 GetSystemDirectoryW
• 0x413028 DeleteFileW
• 0x41302c GetModuleFileNameW
• 0x413030 GetVersionExW
• 0x413034 ReadFile
• 0x413038 CreateFileW
• 0x41303c DeviceIoControl
• 0x413040 GetTempPathA
• 0x413044 GetModuleFileNameA
• 0x413048 HeapAlloc
• 0x41304c GetProcessHeap
• 0x413050 HeapFree
• 0x413054 MultiByteToWideChar
• 0x413058 GetModuleHandleW
• 0x41305c WriteFile
• 0x413060 GetLastError
• 0x413064 SetFilePointer
• 0x413068 WideCharToMultiByte
• 0x41306c CloseHandle
• 0x413070 SetEndOfFile
• 0x413074 GetLocaleInfoA
• 0x413078 GetStringTypeW
• 0x41307c GetStringTypeA
• 0x413080 LCMapStringW
• 0x413084 LCMapStringA
• 0x413088 HeapSize
• 0x41308c CreateFileA
• 0x413090 GetSystemWindowsDirectoryW
• 0x413094 GetTickCount
• 0x413098 ExitProcess
• 0x41309c Sleep
• 0x4130a0 OpenEventW
• 0x4130a4 LoadLibraryA
• 0x4130a8 WriteConsoleW
• 0x4130ac GetConsoleOutputCP
• 0x4130b0 WriteConsoleA
• 0x4130b4 FlushFileBuffers
• 0x4130b8 SetStdHandle
• 0x4130bc InitializeCriticalSectionAndSpinCount
• 0x4130c0 IsValidCodePage
• 0x4130c4 GetOEMCP
• 0x4130c8 GetACP
• 0x4130cc GetCPInfo
• 0x4130d0 RaiseException
• 0x4130d4 GetFileAttributesW
• 0x4130d8 GetTempPathW
• 0x4130dc GetStartupInfoW
• 0x4130e0 TerminateProcess
• 0x4130e4 GetCurrentProcess
• 0x4130e8 UnhandledExceptionFilter
• 0x4130ec SetUnhandledExceptionFilter
• 0x4130f0 IsDebuggerPresent
• 0x4130f4 EnterCriticalSection
• 0x4130f8 LeaveCriticalSection
• 0x4130fc RtlUnwind
• 0x413100 GetConsoleCP
• 0x413104 GetConsoleMode
• 0x413108 GetProcAddress
• 0x41310c GetStdHandle
• 0x413110 FreeEnvironmentStringsW
• 0x413114 GetEnvironmentStringsW
• 0x413118 GetCommandLineW
• 0x41311c SetHandleCount
• 0x413120 GetFileType
• 0x413124 GetStartupInfoA
• 0x413128 DeleteCriticalSection
• 0x41312c TlsGetValue
• 0x413130 TlsAlloc
• 0x413134 TlsSetValue
• 0x413138 TlsFree
• 0x41313c InterlockedIncrement
• 0x413140 SetLastError
• 0x413144 GetCurrentThreadId
• 0x413148 InterlockedDecrement
• 0x41314c HeapCreate
• 0x413150 VirtualFree
• 0x413154 QueryPerformanceCounter
• 0x413158 GetCurrentProcessId
• 0x41315c GetSystemTimeAsFileTime
• 0x413160 VirtualAlloc
• 0x413164 HeapReAlloc
Library USER32.dll:
• 0x413178 LoadIconW
• 0x41317c RegisterClassExW
• 0x413180 CreateWindowExW
• 0x413184 DefWindowProcW
• 0x413188 BeginPaint
• 0x41318c LoadAcceleratorsW
• 0x413190 LoadCursorW
• 0x413194 wsprintfW
• 0x413198 LoadStringW
• 0x41319c PostQuitMessage
• 0x4131a0 EndPaint
Library ADVAPI32.dll:
• 0x413000 RegQueryValueExW
• 0x413004 RegSetValueExW
• 0x413008 RegCloseKey
• 0x41300c RegOpenKeyExW
Library WS2_32.dll:
• 0x4131a8 WSAStartup
• 0x4131ac htonl
• 0x4131b0 gethostbyaddr
• 0x4131b4 socket
• 0x4131b8 gethostbyname
• 0x4131bc inet_addr
• 0x4131c0 htons
• 0x4131c4 connect
• 0x4131c8 closesocket
• 0x4131cc send
• 0x4131d0 WSAGetLastError
• 0x4131d4 recv
Library IPHLPAPI.DLL:
• 0x413014 GetAdaptersAddresses
L!This program cannot be run in DOS mode.
agagaghNghsgh
lgafghgg
`gh`gRichag
PEC2NO
.reloc
VPfPdp
3VPfPJp
t(PVP4
M_^3[^4
ESVW3h
@@f;u50A
uHPEPPShLA
@@f;u+u/hLA
@@f;u)WhLA
@@f;uW
j^rSPfm
@@f;u+D
M_^33[
3WVWWW
;v!f9=
3VfEEWP}xj
@@fupA
ESVW3h
@@f;uh
GGf;uXOA
36VSSS
cSSSh6@
3@M_^3[5+
@;rMSMP;u
3@M_^3[*
@@f;u+
fEEVPQe
WEVPR*
EPEP -
t u3FVh
@;rMSMP;u
3@M_^3[(
PfEEP3c
jQXflp+
@@f;u3
@@f;u3
n@@f;u
n@@f;ujQXflp+
@@f;u3
@@f;uf9
@@f;u+t#VSh
f9uBhOA
@@f;u+t
jdY3RP
@@f;u+D
3@M_^3[#
3VfhjSP^
hSP3{^
3j>fEESP]
3j>fxzSP]
@@f;u3
x@@f;u
GGf;uOA
EPSW;uh
@@f;u3
@@f;u3
@@f;uffA
@@f;uf:6fA
M_^3[a
f3VPX[
@@f;u3
@@f;u3
@@f;u=pA
3FM3^)
PL$6Q3fD$8X
D$"D$&D$*D$.D$2D$6fD$:D$
PL$0Q9(
tz_GBP9s
fu+uS)
D$-SP3\$4GV
RD$$D$(D$ D$,h
D$4PW\$(\$$\$0\$4
3VWfL$
D$"D$&D$*D$.D$2D$6fD$:$D
L$HQWWh
T$PD$LWh
$SUVWj
RD$LPq
_^]3[Y
[YVWVj
D$$&rA
@uVW$
D$ PQ(
D$8RP(
L$8QR(
]3[YWhrA
][YQSU-L0A
_^][Y_^][Y
3lQSWj
~PFJWP
[YSUVD$
@u-T0A
GWVjPj
L$&3VQD$(
fD$,|F
T$ Rt$
T$ RD$ PL$
u#u T$
tJ;~8+
D$ SPF
_^][3^
RD$2P|$0L$ fT$4A
\$(\$ t
t$ 33f
D$(ST$
~yT$ L$$RD$
WQD$$?
QD$0R>
3VQD$(
D$.3VPt$$t$ t$,fT$4=
RPt$ x
RD$ PL$(Q
f9T$ ua|$
L$,QT$
_^][3;
SVW3;t
^0WWWWW
AAFFf;t
Ku3;uf
SVW3;t
^0WWWWW%
AAKu;t
AAFFf;t
Ku3;uf
U S39]
;t$;u
;tU;|BMx
YYt"Mx
39]fD~
VVVVV[
;t3f97
uf93u !
jEPhLA
_VVVVV8J
VW3M]9}
E+)E(V-
3PPPPPEN
Y}V*YEE
SVW39}
}O;]rOt
u+WuV2
M+;rP})E
YYt)EF
YY]jXh
@@fufM
@@fu3_[]
^0WWWWW
GGBBft
f_^]UW}
SW=H0A
E3B;r9]u
S3VW;t
^0SSSSS'
3_^[]j
jEPhLA
YVMhuA
7GGEPj
RPjjEUCh
M]EUVe
Yu)jAXf;w
E;ErCE9Eu
3;Er/w
QuuuSg
u>9ur9w
`p33_^[
U]UQSV3;u
^SSSSS0
^SSSSS0
IGG;r3_^[
U S39]
;t4;|"Mx
SSSSSd
,ffffffE
P~CC>Yu
3PPPPP
t4+t$+t
ItQht@lt
3F tBP
itmnt$o
YYYfgu
YYY>-u
jj0XfQfE
t-RPSW
`pM_^3[
;r =(A
W3E}}}
FFf> t
at8rt+wt
E}9}urE
E9}u:eE
FFf> tj
FFf> tf9>
Y]3u;5A
4V<YYA
+SVWLA
1E3PeuEEEEd
Y__^[]Q
E_^[]E
9csmu)=A
URPQQhw@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
jXEU;u
Y]\3_[^j
0VVVVV
WWWWW6
W>+~,WPVYP
Y/V|Yt
Y}3u;5A
YY3BUA
V34809u
u&30VVVVV
P4UM`8
<PVEP(
r3VVhU
QH++PPVh
,P+P5P(
\D+48;E
0?@Y1(
8+0_[M3^j
WWWWWr
DDDDDDDDDDDDDD
8csmu*x
YYuBh@
VW33};
VVVVVD
u&hP8A
3PPPPP
@Y<v8VA
3VVVVV
VVVVVt
;t$t j
EYF`[_^
Gf>=Yt1j
tPVWP.
3PPPPP
3Y[_^5A
UQV3W}
@@ft<uf t
@@HHf9
@@Bf8\tf8"u8
ft$9Uu
UQQSVWh
V33SfA
`]YY?sJM
u+@S@WS:;
_[^SVWY
Ej@j ^V+;
[j@j :
;rE9=lA
eYV5dA
YYt:V5`A
P_YF,t
PQYF4t
PCYF<t
P5YF@t
P'YFDt
YF\=8A
YYt4V5`A
E3E3;u
F$|3@_^
j3G}39
MOI;|9 M
SI VW}
HD9#U#
MLD3#u
]#\D\D
<at9<rt,<wt bSSSSS
L9]u<eE
F> t>=upF> tj
0SSSSS
Wt1t'P
GW#YYF
UQSVW5A
;r@Pur
WPWPWv
8]tEMap<u
Zf1Af0A@@JuL
@;vFF~
XM_^3[j
Y^hS=<1A
3W;to=A
7YY~PE
USV5<1A
SV5H1A
t7t3V0;t(W8Yt
VYY^3j
Fpt"~l
j +Ygj
Pf;r]*
QP;YYu
3PPPPP
t4+t$HHt
ItUhtDlt
HHtYHHt
2itmnt$o
\YYYgu
7YYY;-u
t-RPSW09~
0@?If8
@@u+(u
EPFPF:A
u(9t M
`pM_^3[u
3;v.jX3;E
]wi=hA
;uL9=0A
EU_^j
WWWWW+
3]V3;|
dVVVVV
VvYt.VjYt"V^
V-Yt.V!Yt"V
]39}~0N
D=VP4YYtG;}|fE
YYM_^3[tp
YYu,9E
tAt2t$
eMapY,
E`p:39]
tGHt.Ht&l
^SSSSS0
Y+t7+t*+t
;t0;t,;t =
uEPuuu
SuEuPuuu
$ MeHM
;tSS6
tSSS6t#
E+PD=P6
_8VVVVV,
9ut(9ut
SV33W9u
CCGGM
tBft=f;t6EP
Map_^[
UV3W95PA
GGBBM
B(;r3_^[]
1E3PEd
Y_^[]USVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3;VW|[;
t58t0=
]V3;|";
u$z0zVVVVV
<Y3C]~
u}uyG+j@j |YYEta
3SEEESX5
PZ+t Q3
SSSSSu
tVURPEPQ
Iuu}]U
+EPRQL
Yj hyA
Y+t"+t
+td+uD
3PPPPPq
PZEY3}
u@OdMGd
u wdSUY
yYYt,t(
;t0P6Yt%
S3VW;t
^0SSSSSn
3_^[];t
^0SSSSSHn
nVVVVV
@@fu+E
H]UWVu
DDDDDDDDDDDDDD
SSSSSh
tGHt.Ht&i
^SSSSS0Yi
Y+t7+t*+t
;t0;t,;t =
uEPuuu
SuEuPuuu
$ MeHM
tSSS6#
CSSS6r
E+PD=P6.
_8VVVVVb
9ut(9ut
u.aSSSSS
;u.aSSSSS
MfMf;u!f;t
E`p3^_[
H8]tMapUj
MLW}9_
u+_SSSSS
;u+_SSSSS
E`p3^_[
H8]tMap
WWWWW\
0Y}SYYE;t
ESV3W9
u8SS3GWh;A
E 5T0A
39]$SSu
PcLY;t
;~Ej3X
3;tAuVWuu
t"SS9]
EVYuEYY
3;tuSWx
PWu u|
uJYE;t
e_^[M3<
MqPu(Mu$u u
SV3W;u:EP3FVh;A
39] SSu
ESEYu39]
e_^[M3:
MrNu$Mu u
Hv$Gv(Gv,Gv0Gv4Gv
Gv8Gv<G@v@GvDGvHGvLGvPGvTGvXGv\Gv`zGvdrGvhjGvlbGvpZGvtRGvxJGv|BG@
FYv$;5
VEY^]UV3PPPPPPPPU
ru{vnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@AE9]r3_[
+UV3PPPPPPPPU
^SSSSS06R
f;v6;t
Map_^[;t2;w,/Rj"^SSSSS0Q
_WSV~p
0;u,:QWWWWW
u+9uv&OE
E`p3[_^
u,~\ ;t
Y}SFYE;
wIVSP(
]5VYE;t'CH;r
PSuwSESP
9}uH;u
E;t CH;r
PSuDwSu
3y_K|u
L1$!_^[u
HVVVVV
^s)EPj
Map[3PPj
ffffffu
S3VW9]
u.FSSSSS
v(GFSSSSS
E`p`E9X
8]tDMap;E
;t+3_^[
UV395PA
u EVVVVV
-WWuuj
WWWWVuWu
sYYE;t+WWVPVuWu
uYEe_^[M3/'QL$
EPQEPEj
AAu+Hu u
RQMQVp
Map^[UWVSM
B:t6t:t't
WVS3D$
bad allocation
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
UTF-16LE
UNICODE
Unknown exception
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
(null)
`h````
xpxxxx
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
121.88.5.184
need dictionary
stream end
file error
stream error
data error
insufficient memory
buffer error
incompatible version
invalid literal/length code
invalid distance code
invalid block type
invalid stored block lengths
too many length or distance symbols
invalid bit length repeat
inflate 1.1.3 Copyright 1995-1998 Mark Adler
incomplete dynamic bit lengths tree
oversubscribed literal/length tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed distance tree
incomplete distance tree
empty distance tree with lengths
invalid distance code
invalid literal/length code
unknown compression method
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
-1.1.3
invalid window size
incorrect header check
need dictionary
incorrect data check
unzip 0.15 Copyright 1998 Gilles Vollant
sanfdr.bat
:Repeat
if exist "
" goto Repeat
rmdir "
%d.%d.%d.%d
121.88.5.183
121.88.5.184
121.88.5.184
GetTempPathW
GetFileAttributesW
OpenEventW
ExitProcess
GetTickCount
GetSystemWindowsDirectoryW
CloseHandle
CreateEventW
CreateThread
GetSystemDirectoryW
DeleteFileW
GetModuleFileNameW
GetVersionExW
ReadFile
CreateFileW
DeviceIoControl
GetTempPathA
GetModuleFileNameA
HeapAlloc
GetProcessHeap
HeapFree
MultiByteToWideChar
GetModuleHandleW
WriteFile
GetLastError
SetFilePointer
WideCharToMultiByte
KERNEL32.dll
LoadStringW
LoadAcceleratorsW
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
wsprintfW
USER32.dll
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegSetValueExW
ADVAPI32.dll
ShellExecuteW
ShellExecuteA
SHELL32.dll
WS2_32.dll
GetAdaptersAddresses
IPHLPAPI.DLL
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
RtlUnwind
GetConsoleCP
GetConsoleMode
GetProcAddress
GetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
HeapReAlloc
RaiseException
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
InitializeCriticalSectionAndSpinCount
SetStdHandle
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LoadLibraryA
CreateFileA
HeapSize
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetEndOfFile
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
218.54.31.226
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
0x0}00000
141q111111
2)2C2H2M2_2s2x2222222)3R3^3n33333333
4"474F4S4^4f4q4x4~444444
5.5F5[5x5555555
6]6c6n6w66666 7J7777
8$8.868<8H8Y8e8n8s88888888
9(9/9;9B9O9V9c9j9{9999999999
:(:5:=:x::
<@<<<<<R=====.>F>^>r>>>>>>>
040S0f0
1K1\1111111H2k22222[3h3|3333333
4.4;4F4T44444444
51555555555
6,6I6g66666
777`7s7x77777>8^8997:H::;;;;;'<L<x<<<*=I=d===g>>
?s?y?????
80U0d00000
1'1`11111Q2V2[2g2l2q2x2222222222)4h4444
555;6666
7C7K7d77777$818=8T8k888
9F9M9j9q9999:/;I;`;;;
<8<F<Q<d<<<<<p>z>>>
11'22733314k4457$88G;q<O>>>
? ?'?-???G?R???
2"2r2x2222)3;3333u4556m77K8X8b8u888888
9>9F9[9f9b<i<>$?*?0?6?<?B?I?P?W?^?e?l?s?{????????????????
1"1=1D1\11111
525V5f89-;];;k=??????????????
0!0-0:0^0p0~00000
121a1p103g3333
4@4K4444444
5U5r556666+7Q7]7i8N9d990:;q<{</=>===>>B?
0A1~11111,2w3333
4g445566
789I:z::::;;;<<<<<<
=-=S=q=x=|============V>a>|>>>>>>>
? ?$?(?,?0?z?????
030<0i000000
1#161A1F1V1`1g1r1{11111111/2<2f2k2v2{22J3W3t333333
4K4P4x444444#5]55555666*79777777'93999>9D9999
:%:9:Z:`::::1;;;c;|;;;;Q<W<z<
<<<<<<<<
=E=K=V=b=w=~===========
> >,>6>=>U>d>k>x>>>>
?F?L?h???
0C0M0000000
1 1&1.151:1B1K1W1\1a1g1k1q1v1|1111111111111
2$2*2F2v2{222222222
3,333=3g3u3{33333333
44444#71777Q7V7e7n7{777777777777
8"868=8C8Q8X8]8f8s8y88888 9<<<!=[==s?~????
0-0G0{00)12!3A3a333
4i44444h55555'6Z66
7888888
9B9M9W9p9z9999
<$<6<Q<Y<a<x<<<<<<<<
=)=:=]=">L>>>2?z???
0D0o2X44
5>555509!:;;;=?
0 0{00000<11111
2722N3{3333"4k4
5O5X5d5555555
6 6V77:8[8g88888g::R;e;;;;;;
?U?~??????
4|444e5
6;6K6f6666(7D777777/8A8888
9P9o:$;.;Z;;;;
<#<+<8<V<`<i<t<<<<<<x>>>>>>>>
?$?k?p???????
A0J0P000
1)1.1F1L1[1a1p1v11111111
232333
4O4h4o4w4|44444444
5^5d5h5l5p5555
616[66666666666
78f999
:%:7:w::y====
>$>;>`>w>,?
,3L3Q3+4c4444
5 5)515<5l55366
77U8888
9%9,9\99j:w<<<<<<<
0223314d44
5^5d555555866677>777
88999999
<e<<<<<==?
2L2P2T2X2\299999
x:|:::::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
x0|000000000
$3(3333333333
4,404@4D4L4d4444
5$5(50545P5p555555555
6$6@6`666666
7(747P7\7x77777
888X8x8888888
9$9<9@9`9|99999
00011P5\5d5l5t5|55555555555555555
6777;<8=H=X=h=x===================== >0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
wwwwwwwwwwwwwwwpxpx
pxwwwwwwwwwwwwwxpxpxDDDDDDDDD@
pxDDDDDDDDDH
pxDDDDDDDDDH
pxDDDDDDDDDDDDDDpxpwwwwwwwwwwwwwwwp
wwwwwwwpxpxpxpxpxpxpxpxwwwwwwpxDDDpxDDDDDDpxpwwwwwwww
%%$$"#"#"#*+()''&&??<=9;7A63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
CWkV21TSav^8{
}>qooggggggg1`_fhsnHK{JLp
Gl-FjNw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
.#%-0%:?%9>%8=%7;
EG@DF@MO@LN2Kh2\g2]f2[I3')+*+)))*))()*+++,6J!54 CBAjYPQTVTSkllZTTXRTUiHceWda/
iu`_<bmt^}zy|yx~
{|yvrrwsqpon
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
JHHGGGGGGGGHI
JEEEEEEEEEEFC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
O%JEEEEEEEEEFFB
JJIIIIJIIIIJJ
O(@>=77A779?<8;$O'
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'H#P'Q'Q'Q'Q'
R&R&R'R&R&R&R&R&Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'Q'R'
e)qjiPt
{rFpcq
S^EDIID:BI638?@=>>=======8,00-.(',0-0178
S(O$N!N!N!N!N"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"M"N"M"M"O$S)O"
QDf>.j~ro
*V=;?73?//87566-&*'!+3$357_
OO&F#C!C!C!C!C!C!C!C!C!C!
A E$R(
x(s o7|WRzW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
90so!M
4onJ$@
#F{@"X
N,+Kj@h#Q
uD3ZeXj0
}G_;tYw8$R<
Cu},&HUzl
U\, t@
'7P(QCb
Z`;2=i2
1}q&nH<+)6Q^2 |
@tKwFQ
$2/77+
PWQS ze
msvb]f\"
Y\09NN"c
M`AyfQq@Id MZh0loM
TDj(ok*0+R
fA_6Lk$me
'`s0QvPj
zh"^C*
ApAlicaton
er{sN
The3<cdl
%os5/l]ntPbza6idSDL:G
51d,al 3*W'tcHus32MagBo8xA=w
k89l?Exi)tP7L
ChHand
l|V irtA=cIv
$PH<H0zI
`t$$|$(3
r+|$(|$
USQWVRW
ZPR3C
Z^_Y[]
D:\PMS\pms4\Project(20131216)\GbpInstall_2008\bin\GbpInstall.pdb
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
@�@�@�@�@�@�@�
$�@�I�@�@�@�@�@�@�@�@�
U�T�F�-�1�6�L�E�
U�N�I�C�O�D�E�
m�s�c�o�r�e�e�.�d�l�l�
K�E�R�N�E�L�3�2�.�D�L�L�
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
S�o�f�t�w�a�r�e�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s� �N�T�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�W�i�n�d�o�w�s�
T�r�a�y�K�e�y�
%�s�.�e�x�e�
t�m�p�4�%�X�.�e�x�e�
\�H�a�n�g�a�m�e�\�K�O�R�E�A�N�\�H�a�n�U�n�i�n�s�t�a�l�l�.�e�x�e�
\�N�E�O�W�I�Z�\�P�M�a�n�g�\�c�o�m�m�o�n�\�P�M�L�a�u�n�c�h�e�r�.�e�x�e�
\�N�e�t�m�a�r�b�l�e�\�C�o�m�m�o�n�\�N�e�t�M�a�r�b�l�e�E�n�d�W�e�b�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�A�h�n�L�a�b�\�V�3�L�i�t�e�3�0�\�V�3�L�i�t�e�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�E�S�T�s�o�f�t�\�A�L�Y�a�c�\�A�Y�L�a�u�n�c�h�.�e�x�e�
\�P�r�o�g�r�a�m� �F�i�l�e�s�\�n�a�v�e�r�\�N�a�v�e�r�A�g�e�n�t�\�N�a�v�e�r�A�g�e�n�t�.�e�x�e�
2�1�8�.�5�4�.�2�8�.�1�3�9�
1�2�1�.�8�8�.�5�.�1�8�3�
d�o�s�r�e�t�
g�o�l�f�i�n�f�o�.�i�n�i�
g�o�l�f�s�e�t�.�i�n�i�
H�G�D�r�a�w�.�d�l�l�
%�s�%�s�%�s�
u�n�k�n�o�w�n� �z�i�p� �r�e�s�u�l�t� �c�o�d�e�
S�u�c�c�e�s�s�
C�u�l�d�n�'�t� �d�u�p�l�i�c�a�t�e� �h�a�n�d�l�e�
C�o�u�l�d�n�'�t� �c�r�e�a�t�e�/�o�p�e�n� �f�i�l�e�
F�a�i�l�e�d� �t�o� �a�l�l�o�c�a�t�e� �m�e�m�o�r�y�
E�r�r�o�r� �w�r�i�t�i�n�g� �t�o� �f�i�l�e�
F�i�l�e� �n�o�t� �f�o�u�n�d� �i�n� �t�h�e� �z�i�p�f�i�l�e�
S�t�i�l�l� �m�o�r�e� �d�a�t�a� �t�o� �u�n�z�i�p�
Z�i�p�f�i�l�e� �i�s� �c�o�r�r�u�p�t� �o�r� �n�o�t� �a� �z�i�p�f�i�l�e�
E�r�r�o�r� �r�e�a�d�i�n�g� �f�i�l�e�
C�o�r�r�e�c�t� �p�a�s�s�w�o�r�d� �r�e�q�u�i�r�e�d�
C�a�l�l�e�r�:� �f�a�u�l�t�y� �a�r�g�u�m�e�n�t�s�
C�a�l�l�e�r�:� �t�h�e� �f�i�l�e� �h�a�d� �a�l�r�e�a�d�y� �b�e�e�n� �p�a�r�t�i�a�l�l�y� �u�n�z�i�p�p�e�d�
C�a�l�l�e�r�:� �c�a�n� �o�n�l�y� �g�e�t� �m�e�m�o�r�y� �o�f� �a� �m�e�m�o�r�y� �z�i�p�f�i�l�e�
C�a�l�l�e�r�:� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �a�l�l�o�c�a�t�e�d� �f�o�r� �m�e�m�o�r�y� �z�i�p�f�i�l�e�
C�a�l�l�e�r�:� �t�h�e�r�e� �w�a�s� �a� �p�r�e�v�i�o�u�s� �e�r�r�o�r�
C�a�l�l�e�r�:� �a�d�d�i�t�i�o�n�s� �t�o� �t�h�e� �z�i�p� �h�a�v�e� �a�l�r�e�a�d�y� �b�e�e�n� �e�n�d�e�d�
C�a�l�l�e�r�:� �m�i�x�i�n�g� �c�r�e�a�t�i�o�n� �a�n�d� �o�p�e�n�i�n�g� �o�f� �z�i�p�
Z�i�p�-�b�u�g�:� �i�n�t�e�r�n�a�l� �i�n�i�t�i�a�l�i�s�a�t�i�o�n� �n�o�t� �c�o�m�p�l�e�t�e�d�
Z�i�p�-�b�u�g�:� �t�r�y�i�n�g� �t�o� �s�e�e�k� �t�h�e� �u�n�s�e�e�k�a�b�l�e�
Z�i�p�-�b�u�g�:� �t�h�e� �a�n�t�i�c�i�p�a�t�e�d� �s�i�z�e� �t�u�r�n�e�d� �o�u�t� �w�r�o�n�g�
Z�i�p�-�b�u�g�:� �t�r�i�e�d� �t�o� �c�h�a�n�g�e� �m�i�n�d�,� �b�u�t� �n�o�t� �a�l�l�o�w�e�d�
Z�i�p�-�b�u�g�:� �a�n� �i�n�t�e�r�n�a�l� �e�r�r�o�r� �d�u�r�i�n�g� �f�l�a�t�i�o�n�
%�s�%�s�.�e�x�e�
\�\�.�\�%�s�
\�\�.�\�P�H�Y�S�I�C�A�L�D�R�I�V�E�
%�d�.�%�d�.�%�d�.�%�d�
U�n�K�n�o�w�n�
W�i�n�2�0�0�3�
W�i�n�V�i�s�t�a�
W�i�n�S�e�v�e�n�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
'�(�,�,�-�-�.�0�0�0�0�1�3�
1�6�7�8�8�8�:�=�>�=�@�?�B�D�E�I�I�I�S�^�
;�@�Q�b�c�b�b�o�
!�&�'�*�+�-�
*�/�/�3�3�5�6�5�7�7�8�;�=�?�
x�$�&�*�+�+�,�-�-�/�0�4�6�I�
s�s�s�s�s�s�
s�s�s�s�s�s�s�s�s�
Y�L�F�C�E�D�E�C�C�C�D�C�C�E�C�C�D�E�E�E�C�I�S�@�J�I�B�
f�k�m�k�n�n�n�m�
n�n�m�m�l�n�o�o�i�
H�o�j�d�t�e�
O�P�L�J�D�H�R�R�E�T�S�Y�
R�E�S�O�U�R�C�E�_�F�A�T�O�K�E�N�I�Z�E�R�
K�E�R�N�E�L�3�2�.�D�L�L�
s�m�s�c�o�r�e�e�.�d�l�l�
n�r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
Process Tree
-
026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe (3012)
"C:\Users\Administrator\AppData\Local\Temp\026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe"
- cmd.exe (1852) cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\sanfdr.bat" "
- opert.exe (3008) "C:\Users\ADMINI~1\AppData\Local\Temp\opert.exe"
026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe, PID: 3012, Parent PID: 2236
default registry file network process services synchronisation iexplore office pdf
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | bfb160e2a50631c0_opert.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\opert.exe |
| Size | 247.4KB |
| Processes | 3012 (026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | 1ca25c34dcbb6d70ab5cc7aa1116eea0 |
| SHA1 | 279eae2722d68a549a6a042f4f76be40bb1c7326 |
| SHA256 | bfb160e2a50631c04935078c7510ce9ab056a56cbbd106242d1dc823955b181d |
| CRC32 | B9EF794F |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 026eb9f75f32289a_026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe |
| Size | 247.3KB |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed |
| MD5 | 48352fbcd33bd57c96a21ac15d4c4f7c |
| SHA1 | 24e3c3257690aa5a3dddaf0e2b376659f6ff137a |
| SHA256 | 026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a |
| CRC32 | 0A12F9A2 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 288dbcbbbb5a28f3_sanfdr.bat |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\sanfdr.bat |
| Size | 365.0B |
| Processes | 3012 (026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe) 1852 (cmd.exe) |
| Type | ASCII text, with CRLF, CR line terminators |
| MD5 | 5363a5e38a01eeefbb0873d584cb21b1 |
| SHA1 | 4c49a0e827cb4cb52213d05c4f7a270d495f3ca2 |
| SHA256 | 288dbcbbbb5a28f3bfde3dacc257efd45c2df6b2eae4cb0be5ea430c304b5099 |
| CRC32 | 3F567A90 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 5e6f5d1e0b085ab1_golfinfo.ini |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini |
| Size | 512.0B |
| Processes | 3012 (026eb9f75f32289a20cf0118c739b50afac141440912910496b64045c32a656a.exe) |
| Type | data |
| MD5 | 825b6d4b82278d179570497de779d1e8 |
| SHA1 | 228ff318b219d57b03415b56e2dea6e7f4df7ee4 |
| SHA256 | 5e6f5d1e0b085ab1dc25875ab64eb9b95806fc62be1655fb0ff686fa21ad5710 |
| CRC32 | 8DEF3DC1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.