2.3
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.81
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-APNJ [Trj] | 20200513 | 18.4.3895.0 |
| Baidu | Win32.Trojan.Agent.dc | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20190702 | 1.0 |
| Kingsoft | None | 20200513 | 2013.8.14.323 |
| McAfee | W32/Autorun.worm.aacd | 20200513 | 6.0.6.653 |
| Tencent | Trojan.Win32.FakeFolder.uu | 20200513 | 1.0.0.1 |
静态指标
动态指标
检查是否有任何人类活动正在进行,通过不断检查前景窗口是否发生变化
在 PE 资源中识别到外语
(3 个事件)
| name | RT_ICON | language | LANG_TURKISH | filetype | None | sublanguage | SUBLANG_DEFAULT | offset | 0x0003e568 | size | 0x00001ca8 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_TURKISH | filetype | None | sublanguage | SUBLANG_DEFAULT | offset | 0x00040210 | size | 0x00000014 | ||||||||||||||||||
| name | RT_VERSION | language | LANG_TURKISH | filetype | None | sublanguage | SUBLANG_DEFAULT | offset | 0x0003e220 | size | 0x00000348 | ||||||||||||||||||
在文件系统上创建可执行文件
(1 个事件)
| file | C:\Program Files (x86)\e8fdc9ff\jusched.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Program Files (x86)\e8fdc9ff\jusched.exe |
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| file | C:\Windows\Tasks\Update23.job |
操作本地防火墙的策略和设置
(1 个事件)
| registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List |
文件已被 VirusTotal 上 64 个反病毒引擎识别为恶意
(50 out of 64 个事件)
| ALYac | Gen:Variant.Buzy.4160 |
| APEX | Malicious |
| AVG | Win32:Agent-APNJ [Trj] |
| Acronis | suspicious |
| Ad-Aware | Gen:Variant.Buzy.4160 |
| AhnLab-V3 | Trojan/Win32.Npkon.R18258 |
| Antiy-AVL | Worm/Win32.Juched |
| Arcabit | Trojan.Buzy.D1040 |
| Avast | Win32:Agent-APNJ [Trj] |
| Avira | TR/Graftor.1103.80 |
| Baidu | Win32.Trojan.Agent.dc |
| BitDefender | Gen:Variant.Buzy.4160 |
| BitDefenderTheta | Gen:NN.ZexaF.34108.ty3@aa0UeopG |
| Bkav | W32.KatemoxF.Trojan |
| CMC | Worm.Win32.Autorun!O |
| ClamAV | Win.Trojan.BankerSpy-1 |
| Comodo | Worm.Win32.Juched.PGY@4yojo0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.45c7fe |
| Cylance | Unsafe |
| Cyren | W32/Agent.KI.gen!Eldorado |
| DrWeb | Trojan.Siggen3.48140 |
| ESET-NOD32 | Win32/Agent.UDI |
| Emsisoft | Gen:Variant.Buzy.4160 (B) |
| Endgame | malicious (high confidence) |
| F-Prot | W32/Agent.KI.gen!Eldorado |
| F-Secure | Trojan.TR/Graftor.1103.80 |
| FireEye | Generic.mg.7424fab45c7fef54 |
| Fortinet | W32/Agent.SRG!tr |
| GData | Gen:Variant.Buzy.4160 |
| Ikarus | Trojan.Win32.Webprefix |
| Invincea | heuristic |
| Jiangmin | Worm/Generic.qfm |
| K7AntiVirus | EmailWorm ( 005191521 ) |
| K7GW | EmailWorm ( 005191521 ) |
| Kaspersky | Worm.Win32.Juched.fih |
| MAX | malware (ai score=89) |
| Malwarebytes | Trojan.Agent |
| MaxSecure | Worm.Win32.Juched.FIH |
| McAfee | W32/Autorun.worm.aacd |
| McAfee-GW-Edition | BehavesLike.Win32.Autorun.fz |
| MicroWorld-eScan | Gen:Variant.Buzy.4160 |
| Microsoft | Worm:Win32/Ganelp.E |
| NANO-Antivirus | Trojan.Win32.Juched.fiiwuu |
| Panda | Generic Malware |
| Qihoo-360 | Win32/Worm.Juched.A |
| Rising | Trojan.Agent!1.C135 (CLASSIC) |
| SUPERAntiSpyware | Trojan.Agent/Gen-Ganel |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-02-16 21:40:53
PE Imphash
bbbaf1c2eb723302fbbb7808c45c4bc3
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000256c0 | 0x00026000 | 3.8473107485487046 |
| .rdata | 0x00027000 | 0x00001c16 | 0x00002000 | 4.644361314120306 |
| .data | 0x00029000 | 0x00013224 | 0x00002000 | 0.8712557935698257 |
| .idata | 0x0003d000 | 0x00000a49 | 0x00001000 | 3.013846830384983 |
| .rsrc | 0x0003e000 | 0x00002990 | 0x00003000 | 2.3772164594560987 |
| .reloc | 0x00041000 | 0x000013b1 | 0x00002000 | 4.189607963118827 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_ICON | 0x0003e568 | 0x00001ca8 | LANG_TURKISH | SUBLANG_DEFAULT | None |
| RT_GROUP_ICON | 0x00040210 | 0x00000014 | LANG_TURKISH | SUBLANG_DEFAULT | None |
| RT_VERSION | 0x0003e220 | 0x00000348 | LANG_TURKISH | SUBLANG_DEFAULT | None |
Imports
Library KERNEL32.dll:
• 0x43d278 GetLastError
• 0x43d27c GetSystemTime
• 0x43d280 MultiByteToWideChar
• 0x43d284 GetLocaleInfoA
• 0x43d288 GetModuleHandleA
• 0x43d28c FindNextFileA
• 0x43d290 FindFirstFileA
• 0x43d294 FlushFileBuffers
• 0x43d298 SetEnvironmentVariableA
• 0x43d29c FindClose
• 0x43d2a0 Sleep
• 0x43d2a4 CompareStringW
• 0x43d2a8 CompareStringA
• 0x43d2ac SetStdHandle
• 0x43d2b0 SetFilePointer
• 0x43d2b4 GetTimeZoneInformation
• 0x43d2b8 GetLocalTime
• 0x43d2bc ExitProcess
• 0x43d2c0 TerminateProcess
• 0x43d2c4 GetCurrentProcess
• 0x43d2c8 GetStartupInfoA
• 0x43d2cc GetCommandLineA
• 0x43d2d0 GetVersion
• 0x43d2d4 DebugBreak
• 0x43d2d8 GetStdHandle
• 0x43d2dc WriteFile
• 0x43d2e0 InterlockedDecrement
• 0x43d2e4 OutputDebugStringA
• 0x43d2e8 GetProcAddress
• 0x43d2ec LoadLibraryA
• 0x43d2f0 InterlockedIncrement
• 0x43d2f4 GetModuleFileNameA
• 0x43d2f8 IsBadWritePtr
• 0x43d2fc IsBadReadPtr
• 0x43d300 HeapValidate
• 0x43d304 UnhandledExceptionFilter
• 0x43d308 FreeEnvironmentStringsA
• 0x43d30c FreeEnvironmentStringsW
• 0x43d310 WideCharToMultiByte
• 0x43d314 GetEnvironmentStrings
• 0x43d318 GetEnvironmentStringsW
• 0x43d31c SetHandleCount
• 0x43d320 GetFileType
• 0x43d324 HeapDestroy
• 0x43d328 HeapCreate
• 0x43d32c HeapFree
• 0x43d330 VirtualFree
• 0x43d334 RtlUnwind
• 0x43d338 SetConsoleCtrlHandler
• 0x43d33c HeapAlloc
• 0x43d340 HeapReAlloc
• 0x43d344 VirtualAlloc
• 0x43d348 GetCPInfo
• 0x43d34c GetACP
• 0x43d350 GetOEMCP
• 0x43d354 GetStringTypeA
• 0x43d358 GetStringTypeW
• 0x43d35c LCMapStringA
• 0x43d360 LCMapStringW
• 0x43d364 CloseHandle
Library USER32.dll:
• 0x43d3c4 MessageBoxA
Library ADVAPI32.dll:
• 0x43d248 GetUserNameW
L!This program cannot be run in DOS mode.
e=l6=l6=l6!`6=l6r"g6=l6r"f6=l6
!b6=l6=l6=l6"
6=l6=m6=l6r"z6=l6";j6=l6Rich=l6
.rdata
@.data
.idata
@.reloc
UDSVW}
E_^[]UPSVW}
~_^[P;fR
]UTSVW}
MU;U}cE
E}^}3M
]U@SVW}
]UDSVW}
_^[]UPSVW}
|@U< B
>E<$,C
_^[]UDSVW}
_^[]UlSVW}
u,U;Uu
t\U;Uu
E_^[l;4F
]UDSVW}
_^[]UpSVW}
EMMU3f
Q<UE8PE
MQxUEH|MU
M;M}-U
_^[p;C
]U`SVW}
EMMU3f
Q<UE8PE
3_MQxUEH|MU
ME_^[]UD
]U@SVW}
_^[@;7
3zQR9:
jPMQj#
UEEMQl2
EMMURP2
jPMQj#
UEEMQl.
EMMURP.
]U|SVW}
_^[|;+
]UHSVW}
_^[H;!
]UHSVW}
E_^[H;
]UHSVW}
MuRh|C
9Us)E3
3EEEfE
jdTQhDB
MQh`pB
URh@pB
MQPx;L
fUfUfEfEfMfMfE
-oje`[VQLG_^[
TPP`Qs
;}}PRcP
wuWhuB
E}tEEP
$~~j<j
tAt2t$
PRSVWhwB
_^[ZX]
r)$(g@
DDDDDDDDDDDDDD
GIt%t)
Gt/KuD$
GKu[^D$
E]U= C
]UQ=(C
]UjhxB
PjEEPQM
EMQUR'
eEPJMd
_^[]U=8C
RPQRPQRPQREPM
t } u%=$B
t&h4{B
E _^[]Uj
3u&hP}B
t&h4{B
;t!hx|B
M;Mt!hD|B
;Et!h(|B
E_^[]Uj
]UQSVWB
uCE PMQ
uCE PMQ
;Mt!h}B
;Mt!h}B
_^[]Uj
EE_^[]UQ
E]UQSVWE
_^[]UQ<B
E]UQSVWE
E_^[]U
u:U REH
QURhh~B
u:E PMQ
REPh<~B
u/M Qh`
RE PMQh
E_^[]`@
%URhPB
H0_^[]U
A,+B,M
J0+H0U
E_^[]U
PM Qh8B
u_^[]U\SVWE
UB E=PB
EPMQhB
u_^[]U4SVWEP
3_^[]UQSVW}
3u_^[]U
Ujmh<B
=tGjyh<B
EMMUREPj
UREPMU
PMQUR#
EPMQUREPj
3%MQUREP
MU;U}eE8tXM
E}tXMQ
E}@}2M<C
]USVWUj
t.;t$$t(4v
VC20XC00U
]_^[]UL$
_^[]UQE
]U0SVWEE
E_^[]U,SVWEE
E_^[]Q=
]UQ=$B
M$k<U(
M$k<U(
EE]U]U@B
UE;Es%MU
MU;Us$EM#
MU;UuIC
U#TDU}
E}?} MU
UE;Ew]MA
UUE+EE
M;t U;u
tn} }2
,3]U0SVWEE
E_^[]U
MQUREPj
s{Uk0ExB
Mk0UEfAlB
Ar;Zw2aC
Qar;zw2aC
G]U=LC
ddIdd.wld3
``C``5
fEfMQRA
U tHE@t
RPRPu0RPQR9~
ERM+MM
fZfZPxQ
QtRxP)
_^[]@@
=u(MQU
U3]UWVu
DDDDDDDDDDDDDD
SVWe=pC
3CMQURE
PMQURE
_^[]UjhB
SVWe=tC
REPMQU
EPMQUREPM
EPMQh
QUREPh
QU+RQU
E+]UQSVW}
_^[]UE
@]UQ=C
UREPjM
Mf3]UQE
M}-s#UE
|jyh B
~VUREH
;Eu!MQ
]UjhxB
SVWe=|C
$&eeMME
3FUREPM
3"MQUREPMQU
E_^[]UQE
EE]UQ=LC
3]UQVE
3^]USVW}
B8t6t8t't
B^_[%C
%Uopqr34&^',-.CDcd<=OP !#$QRS>EF/6?@ABZ[]`_XYlmn89:;wxyz{|}~I2NVabGHefjk7()*+015WghiTJKL\Mstuv
n2ltcr#MlnAabyrireltuAeDcyedFNAtimVaAplGiwro#Vmfanr3leodstuaeoirFLaSitbsreerGoeeeevntieoi#WoitAtunmoeldGrdsedHlLLa#er#FAieCtro#MllmGnonrlCFAtdDcyelIri#ke.#PAeGoed#drAebytert#aitAtuia#Ereab#yeenserGoeotA
dslFNFAnoRvro#ei#DeeeglvrsrelpnhGunosPe2srsN#sn#ai#tleiGiiGalGaenri#dteil#oitAlFAtvpGoaitgCtolSs#Cers#c3rPe2toaeeFAiiRF#FS#bl#briiFAnxlFCemDcyeeeeiy#LcrSn#aoe2pttrPedosi#c3xlHlreerF#deteeoAcoF#FFteiei#dseeerDtlGrTAtiDeiAeTh3aoertcIrsFtoseCedCtlWeealelzllolle
i.#etnnnocFelIrCedntlteeIrCe#Gi#etsn#ielnnp#etnApFAteoaewndIrOAtentttennlHl
i.#etnnnocFulIrCedntlteeIrCe#Pi#etsn#ielnnp#etnApFAteoaewndIrOAtentttennlHl
leeexthEuSlcA
l.e2lh3lsld
*t*B0_`2lwwP%Y29%Yw9u*PY`*PwmAVPX`*@dwPaiVVPXX`edwdvPYPwX`1AwPrduue9uAV4`*Yd%adwaew9 AuP`ilY@9wA&Pai::uAVdYA9%X`]AXY
bd:ael*nE::
CegsyeoeRlK
SaEgVeetuARelx
OKxgnEeeyRpeA
a2lv3ldidap.
DtlgeaAelVeReeu
CtygaeAeeKxRreE
\Java\jre-
gFsomeralPri
*9 YrdwP`FFFFFFFFFFFFFFFFF`2lwwP%YcPwXA9%`)l%
e.gteeixrde
rrr5u9?5OPu:cPwI@u:{XYdYX5OPu:cPwI@u:{<dV#l:X5OPu:cPwI@u:{
Y:IduA&dvPYduIV9vIYw{duA&dvPYduIV9vIYw{@aWFF{ Y:IX9uAXAuPYAXAvIV9v{<PdYwAVPuPd{JP:&P:Iy/yW{ Y:I4PXAvV9:4IV9v{4PXAvV9:4F{UC/V4 {
/Downs/HelpVer.hlp
Help.hlp
/Downs/Help.hlp
/Private/
Pfile.hlp
Y:IXPdwV@IA%XYd%Y wPPXAYPIV9v{XPdwV@{$yFU/Cd<V{?wA:Y9IuPda@9XYPwIV9v{y/EU/${Wd/FCyV${ Y:IEda&IV9v{da&EMFECExEEU{$yFU/C{
jusched.
ew9?wdv1AuPX
Fi386\chkesp.c
The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
Assertion Failed
Warning
%s(%d) : %s
Assertion failed!
Assertion failed:
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
wsprintfA
user32.dll
Microsoft Visual C++ Debug Library
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
(Press Retry to debug the application)
Module:
File:
Line:
Expression:
For information on how your program can cause an assertion
failure, see the Visual C++ documentation on asserts.
<program name unknown>
dbgrpt.c
szUserMessage != NULL
Client
Ignore
Normal
Error: memory allocation: bad memory block type.
Invalid allocation size: %u bytes.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
dbgheap.c
_CrtCheckMemory()
_pFirstBlock == pOldBlock
_pLastBlock == pOldBlock
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
_pFirstBlock == pHead
_pLastBlock == pHead
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
Client hook free failure.
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
%hs located at 0x%08X is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0x%08X.
DAMAGED
_heapchk fails with unknown return value!
_heapchk fails with _HEAPBADPTR.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADBEGIN.
Bad memory block found at 0x%08X.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
Object dump complete.
crt block at 0x%08X, subtype %x, %u bytes long.
normal block at 0x%08X, %u bytes long.
client block at 0x%08X, subtype %x, %u bytes long.
{%ld}
%hs(%d) :
#File Error#(%d) :
Dumping objects ->
Data: <%s> %s
Detected memory leaks!
Total allocations: %ld bytes.
Largest number used: %ld bytes.
%ld bytes in %ld %hs Blocks.
stdenvp.c
stdargv.c
a_env.c
ioinit.c
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
format != NULL
sprintf.c
string != NULL
vsprintf.c
GetLastActivePopup
GetActiveWindow
MessageBoxA
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
tzset.c
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
_flsbuf.c
str != NULL
`h````
ppxxxx
(null)
output.c
ch != _T('\0')
_getbuf.c
_file.c
wtombenv.c
osfinfo.c
a_cmp.c
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
setenv.c
fclose.c
_freebuf.c
stream != NULL
aa3vd2apeJUt
a3d2peUt
htdocs
GetModuleHandleA
GetLastError
GetSystemTime
MultiByteToWideChar
GetLocaleInfoA
FindClose
FindNextFileA
FindFirstFileA
KERNEL32.dll
MessageBoxA
USER32.dll
GetUserNameW
ADVAPI32.dll
CoUninitialize
CoCreateInstance
CoInitialize
ole32.dll
GetTimeZoneInformation
GetLocalTime
ExitProcess
TerminateProcess
GetCurrentProcess
GetStartupInfoA
GetCommandLineA
GetVersion
DebugBreak
GetStdHandle
WriteFile
InterlockedDecrement
OutputDebugStringA
GetProcAddress
LoadLibraryA
InterlockedIncrement
GetModuleFileNameA
IsBadWritePtr
IsBadReadPtr
HeapValidate
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
HeapDestroy
HeapCreate
HeapFree
VirtualFree
RtlUnwind
SetConsoleCtrlHandler
HeapAlloc
HeapReAlloc
VirtualAlloc
GetCPInfo
GetACP
GetOEMCP
GetStringTypeA
GetStringTypeW
LCMapStringA
LCMapStringW
SetFilePointer
SetStdHandle
CompareStringA
CompareStringW
SetEnvironmentVariableA
FlushFileBuffers
CloseHandle
)y)y)y)y)y
)y)y)y)y
y)y)y)y
kkcccccJ)
})y)y)y
kkkkkkkkkkcJ)
)y)y)y)y
sssssssssssssskR1
)y)y)y)y
sssssssssssssssss{{Z9!
)y)y)y)y
!ssssssssssssss{{{{{{{{{ICONMD5.eb1ee0f
!{{{{{{{{{{{{{{{{{{{{{{{{{{kZ)y
!{{{{{{{{{{{{{{{{{{{{{{{{{{J)y
))sc))y
11kcZ1
RRkck!)y
Zck1)y
9kc!)y
)9{9)y
808>8H8\8l8~888888
9#9,929I9P9]9d9q9x999999999999::::::
;!;1;;;B;L;V;];j;q;{;;;;;;;;;;;;;
<<<=/>R>v>}>>>>>>>>
L12!3-3Y3h3v3333333&4-494g4n4z4444444*515=5k5r5~555555
7Q7X7d7777777
8'8U8\8h8888888
9 9+9Y9`9l9999999
:#:/:]:d:p::::::: ;';3;a;h;t;;;;)=>===
>e>>>(?>?U?????
161B1h1t11111111222
3'363I3344
565B5h5t55555555666
7 7/7B778888
959o995:S:x::::::::!;-;3;<;M;;;
<?<^<[=y======
>">G>S>Y>b>>>>>>>>
?)?;?Z?
10[00a1:2W2
22222222
3'3:3G3M3U3
474[4b4m44
505E5W5i5z555555
6G6L6U6g7~7777
838888599a:;
< <2<F<U<\<w<<
=L=`=t=>>>y??
g00C11122253Q3]3r3333333333
4!4/4>4Y4h4455
6'696>6667j7p7|777
8@8O8p888888
9-9C9S9c9999
;9;l;x;;;;
<4<T<s<<<<<
=/=C======*>I>R>f>n>x>>>>>>>
?U?\????
G0e0m00000000
131:1|1f4l4r4x4~4444444444O5T5[5
60676?6D6H6L6u66666666666"7(7,7074777777777
8M8T8X8\8`8d8h8l8p888888;;;;;
< <)<A<<<<<<5=>=C=H=U=Z==
>)>2>G>]>b>o>t>>>>>
?(?-?2???E?Q?W?`?f?k?x?????
0e000000
1S1_1p1z111111Q2W2e2m2s2222222222
3?3K333333
454G4M4b4s44444465<5O5U5t55555U6t6666666
777G7S7t77777
949P9j99Q:f:r:::::::4;\;;;;
<U<^<c<k<q<w<
<<<<<<<<
=2=>>>>>>
?0?5?g?????
B0N000
1'151=1C1L1T1\1b1k1q1w1~1111
2#2l2v22222222
333333"4.434i4u4444
5:5@5d55555
6]6i66666666
7*7K7]77777&8288888%9199999E:::::
;9;>;a;f;;;;
<'<.<Y<<<<
=X========
?7?>??
%010P0U0
00R1|1111u222
4O4q444
5I5N555@6m6666P7l777
8\8g8z88888888
9#9:9Q9[9l9999999
;=;C;U;;;;;
<*<2<8<<<A<N<X<<<<]=A>
40061?1N1Z1i1|111
2*2O2r2222
3*3L3v3|333)4<4Z4l4r4{44
5*5o555<6C6r66666666
7%7>7R7`7g7x7777777R8l8u8u9~99999
:6:?:H:[:o:x:
;2;K;e;;;;>>
011;1A1L1X1]11111111111.272K2Z2^2b2f2j222"3)303A3R3c333333
4 4<4k4z444444444444/575=5K5U5Z5`5l5v5{555555555555
6 6)62676<6V6\6k6u6~66666666666666
7!7-7>7F7Q7X7g7s77777777
9;9C9O9U9c9r9~999999999
: :>:G:Q:[:d:r::::::::::
;+;;;;;;;;;
<V<a<w<<<C=R=|======
>!>'>0><>B>K>S>^>h>n>w>>>>>>>y???
0]0d00|111
2{2222222
3$3;3B3G3M3Z3`3f3p3z3333888888
9)979C9T9_9h9~99999999999999
:(:1:::::/;;;\;;(?3?;?e?k?s???????????
0#0*0P0X0
1V8b8k888888888888
9$9+90999A9L9V9e9n9t999999
::????
4]4c4l4~4444444
5)5/555555555 626U6e6o6}666666
7T7]7g7q7777{88888
9X9g999999.:=:R:r::::::::
=c=o===>
?<?Q???
H0O0j1q1
2233/5Q5s5:::::::::::::::::::0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;(=O===I>p>>>w????
x000000000
1 1$1(1,1014181111111
2 2'2,20242Q2{2222222222
3 3$3(3,3333333333
4,474J4q44 5F5K5h5v5555555
6 6G6667777
9 9/9e9
;I;y;;;;;;
<N<W<s<|<<
=1=F=O=[=d=r={==========->F>X>{>>>>>
0?0x0000000/1<1T111111192R2^22222222
3!3-3T3`3l3
3333333
4^4m4444$5.5=5U555
7,7J7u77777
8*818;8E88888
9D9P9p::
;;;e<k<s<<<<<<<<<
=$=*=;=G===
?_?o??
000Y1n1111111
3a3t33332585>5D5J5P5V5\5b5h5n5t5z55555555555555555555555
6"6(6.646:6@6F6L6R6X6^6
666666|7777
3 6:::::::::;;;;;;;;;;;;;;
<<<<=D=H=
`0d0p0x02222
e5hdi6<:m=plq>DBuExtyFLJ}M|NTRUV\Z]^dbefljmntruv|z}~
e5hdi6<:m=plq>DBuExtyFLJ}M|NTRUV\Z]^dbefljmntruv|z}~
e5;77=jmm=C??EruuEKGGMz}}MSOOUU[WW]]c__eekggmmsoouu{ww}}
e5;77=jmm=C??EruuEKGGMz}}MSOOUU[WW]]c__eekggmmsoouu{ww}}
73;g:i><?;CoBqFDGCKwJyNLOKS
RVTWS[Z^\_[cbfdgckjne5;77=jmm=C??EruuEKGGMz}}MSOOUU[WW]]c__eekggmmsoouu{ww}}
2f2fj7<=:n:nr?DEBvBvzGLMJ~J~OTURRW\]ZZ_debc17e6<;jk9?m>DCrsAGuFLKz{IO}NTSQWV\[Y_^dcagflkiontsqwv|{y
a5:;4j
i=BC<r
qEJKDz
UZ[T&']bc\./ejkd67mrsl>?uz{tFG}|NOVW^_b9ff4>i@jAnn<FqHrIvvDNyPzQ~~LVXYT^`a\fhidnpqlvxyt~|
7b7855l??j?@==tGGrGHEE|OOzOPMMWWWXUU___`]]ggghee21455igi:9<==qoqBADEEywyJILMM
RQTUUZY\]]ba2deej=;k:lmmrECsBtuuzMK{J|}}USR][Zecb51g8i98m=9o@qA@uEAwHyIH}MI
PQPUQXYX]Y`a`eahddd7;6i;lll?C>qCtttGKFyK|||OSNSW[V[_c^cgkfkosnsw{v{
6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn3d74<6i@;l?<D>qHCtGDLFyPK|OLTNXSWT\V`[_\d^hcge22d=>jmm::lEFruuBBtMNz}}JJ|UVRR]^ZZefbbmnjjuvrr}~zz
78d;9<ik?@lCADqsGHtKILy{OP|SQTWX[Y\_`cadghkil65g749h8>=o?<Ap@FEwGDIxHNM
OLQPVUWTYX^]_\a`fegdi5c6fgj;<=k>norCDEsFvwzKLM{N~
STUV[\]^cdefae35eji>im;=mrqFquCEuzyNy}KM}VSU^[]fcenkmvsu~{}6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikna:c8:f<kiBk@BnDsqJsHJvL{yR{PR~TZXZ\b`bdjhjlrprtzxz|84:5h>7
@<B=pF?
HDJExNG
PLRMVO XTZU^W'`\b]f_/hdjeng78bg7;79>@jo?C?AFHrwGKGINPz
OSOQVXW[WY^`_c_afhgkgin6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn27h::=:m:?pBBEBuBGxJJMJ}JORRURRWZZ]ZZ_bbebbg29d6<7>;:Al>D?FCBItFLGNKJQ|NTOVSRYV\W^[Za^d_fcbi5cf:89l@=knB@AtHEsvJHI|PM{~RPQXUZXY`]b`ahejhfgf;g<lknonCoDtsvwvKwL|{~
T[\cdklst{|
fg6d7fg<no>l?noDvwFtGvwL~
TVW\^_dfglnotvw|~
9cg7958iAko?A=@qIswGIEHyQ{
OQMPYWYUXa_a]`igiehq6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffiknccg<<g>kkkoDDoFssswLLwN{{{
V\\^ddfllnttv||~64h395:h><p;A=BpFDxCIEJxNLKQMRVTSYUZ^\[a]bfdcie51efff;;=9mnnnCCEAuvvvKKMI}~~~SSUQ[[]Ycceaf3cfe6<8n;knm>D@vCsvuFLH~K{~}NTPSV\X[^d`cflhkntpsv|x{~
276:6;l=:?>B>CtEBGFJFK|MJONRNSURWVZV[]Z_^b^cebgf4::48=<n<BB<@EDvDJJDHML~LRRLPUTTZZTX]\\bb\`eddjjdhmllrrlputtzztx}|||
6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn112geg8m99:omo@uAABwuwH}IIJ
PQQRXYYZ`a3d;7j:i8;lC?rBq@CtKGzJyHK|SORPS[WZX[c_b`ck95e;4f:hA=mC<nBpIEuKDvJxQM}SL~RYU[TZa]c\biekdjqe89495j
m@A<A=r
uHIDIEz
}PQLQM XYTYU'`a\a]/hidie7pqlqm?xytyuG|}OW_
ag359ihmio;=AqpuqwCEIyx}y
KMQSUY[]aceikmqsuy{}c6;h6=l;k>Cp>EtCsFKxFM|K{NSNUSV[V][^c^ecfkfmknsnusv{v}{~~
9f5fg6?mAn=no>GuIvEvwFO}Q~M~
NWYUV_a]^giefoq6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn87gi=7h
@?oqE?p
HGwyMGx
UO XW]W'`_e_/hgmg7d4h3<f>8l<p;DnF@tDxCLvNH|LKT~VPTS\^X\[df`dclnhlktvpts|~x|{
ee337j8@mm;;?r@HuuCCGzHP}}KKOPXSSWX`[[_`hccghpkkopxsswx{{
7e59egg<?m=AmooDGuEIuwwLO}MQ}
TWUY\_]adgeiaf4fi>hkin<nqFpsqvDvyNx{y~L~VT^\fdnlvt~|a3e5h:l8i;m=pBt@qCuExJ|HyK}MRPSUZX[]b`cejhkmrpsuzx{}
6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikne983eh;kmA@;mpCsuIHCuxK{}QPK}SYXS[a`[cihckqpksyxs{{
75476;::?=<?>CBBGEDGFKJJOMLONSRRWUTWV[ZZ_]\_^cbbgedgfkj42gdfh6@<:olnp>HDBwtvxFPLJ
|~NXTRV`\Z^hdb6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn432g<6:<<;:oD>BDDCBwLFJLLKJ
TNRTTSR\VZ\\[Zd^bddcb47cgjkhm<?korspuDGswz{x}LO{
TW\_dgc2g3<:99k:o;DBAAsBwCLJII{J
KTRQQRS\ZYYZ[dbaabcljiijktrqqrs|zyyz{
21fi;ggm:9nqCoouBAvyKww}JI~S
RQ[ZYcba2d9dei=i:lAlmqEqBtItuyMyJ|Q|}URY]Zaebffeff6ihnnmnn>qpvvuvvFyx~~}~~NV^fnv~
f2797:l<n:?A?BtDvBGIGJ|L~JOQORTRWYWZ\Z_a_bdbgigjljoqortrwywz|z
8d9:=<km@lABEDsuHtIJML{}P|QRUTXYZ]\`abedhijml19fg76hk9Ano?>psAIvwGFx{IQ~
ONQYWVYa_^a419<i:gm<9ADqBouDAILyJw}LIQTR
TQY\Z\Yadbdail228ehk=@::@mpsEHBBHux{MPJJP}UXRRX]`ZZ`ehbb6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn1587ji?=9=@?rqGEAEHGzyOMIMPOWUQUXW_]Y]`_geae66fii7@m>>nqq?HuFFvyyGP}NN~OXVVW`^^_hffgpnnoxvvw~~
a:6<fg<8iB>DnoD@qJFLvwLHyRNT~
TPZV\\Xb^dd`jfllhrnttpzv||x~59gh9799=AopA?AAEIwxIGIIMQ
QOQQUYYWYY]aa_aaeii6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn46g3;9:i<>o;CABqDFwCKIJyLN
KSQRTVS[YZ\^[cabdfc3663;j7j;>>;Cr?rCFFCKzGzKNNKSOSVVS[W[^^[c_cff6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn32:e<j>>;:BmDrFFCBJuLzNNKJR}TVVSRZ\^^[Zbdffcbj75fgfgg<?=nonooDGEvwvwwLOM~
TWU\_]dge3c5gj5>m;k=or=FuCsEwzEN}K{M
MVSUU^[]]fce83:i;gl8@;BqCot@HCJyKw|HPKRS
PXSZ[X`[bc`hcjkhd29dgj:ml:AlorButBItwzJ}|JQ|
RRYZZabbijjqrryzz
3d6h459>;l>p<=AFCtFxDEINK|NLMQVSVTUY^[^\]afcf72e:i9j??:mBqArGGBuJyIzOOJ}RQWWRZY__Zbaggbji239d67gi:;Al>?oqBCItFGwyJKQ|NO
RSYVWZ[a^_bc6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn
L!This program cannot be run in DOS mode.
i2h:2h:2h:2i:gh::1h::3h:)%:"h:)%:Ph:)%:
h::3h::*h::3h::3h:Rich2h:
`.data
@.reloc
otools\inc\nlg\private\inc\msfsa\faarray_cont_t.h
otools\inc\nlg\private\inc\msfsa\falextools_t.h
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
bad exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Unknown exception
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
nlg\lib\msfsa\faallocator.cpp
nlg\lib\msfsa\farsdfa_pack_triv.cpp
otools\inc\nlg\private\inc\msfsa\faarray_cont_2xresize_t.h
nlg\lib\msfsa\famultimap_pack.cpp
Internal error.
Object cannot be initialized.
Limit size has been exceeded.
Out of memory.
Object is not ready.
]ut5p?
W3+t#Hu7Vu
^3[UQE
V3WM0u
UVW39~
<|uCt7
t79V$t2h
M 3UE9J
MA3;~\U
E;}q}M
PE @PE
MPE+@PE
G;}|}]}$
F;}^U9]
z;~\;}T;]
Yt]U]U]
EVW3EP
72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm12h:7kl@9:pB?stHABxJG{|PIJROXQRZW`YZb_ha34277<ki;<:??DsqCDBGGL{yKLJOOTSTRWW\[\Z__dcdb72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemmd53e<<;:l=;mDDCBtECuLLKJ|MK}TTSRUS\\[Z][ddcbecllkjmkttsrus||{z}{
72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm72f5g==l?:n=oEEtGBvEwMM|OJ~M
UUWRU]]_Z]eegbemm6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffiknd53e<<;:l=;mDDCBtECuLLKJ|MK}TTSRUS\\[Z][ddcbecllkjmkttsrus||{z}{
6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffiknd68i6k89l>@q>s@AtFHyF{HI|NPNPQVXVXY^`^`afhfhinpnpqvxvxy~~
6d9;e>lh>lACmFtpFtIKuN|xN|QS}VVY[^^acffikn38e8e879;@m@m@?ACHuHuHGIKP}P}POQSXXXWY[```_ach35;i:j9>;=CqBrAFCEKyJzINKMSRQVSU[ZY^[]cbafceke1ch;86km9kpC@>suAsxKHF{}I{SPNQ[XVYc`^akhfispnq{xvy~
6e444g
>m<<<o
FuDDDw
VTTT&'^\\\./fdddd53e<<;:l=;mDDCBtECuLLKJ|MK}TTSRUS\\[Z][ddcbecllkjmkttsrus||{z}{
4egijk>h<moqrsFpDuwyz{NxL}
VT^\fdf2g7e8h9n:o?m@pAvBwGuHxI~J
O}PQRWXYZ_`abghijopqrwxyz
ec3hi5l
mk;pq=t
usCxyE|
}{KM SU'[]/ce7km?suG{}OW_
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
C�o�m�m�e�n�t�s�
C�o�m�p�a�n�y�N�a�m�e�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
6�.�0�.�1�5�0�.�3�
I�n�t�e�r�n�a�l�N�a�m�e�
j�u�s�c�h�e�d�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
j�u�s�c�h�e�d�
P�r�i�v�a�t�e�B�u�i�l�d�
S�u�n� �M�i�c�r�o�s�y�s�t�e�m�s�,� �I�n�c�.�
P�r�o�d�u�c�t�N�a�m�e�
J�a�v�a�(�T�M�)� �P�l�a�t�f�o�r�m� �S�E� �6� �U�1�5�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
6�.�0�.�1�5�0�.�3�
S�p�e�c�i�a�l�B�u�i�l�d�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
R�E�S�O�U�R�C�E�_�F�A�T�O�K�E�N�I�Z�E�R�
K�E�R�N�E�L�3�2�.�D�L�L�
s�m�s�c�o�r�e�e�.�d�l�l�
n�r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
Process Tree
- explorer.exe (1412) C:\Windows\Explorer.EXE
-
07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe (3028)
"C:\Users\Administrator\AppData\Local\Temp\07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe"
- jusched.exe (3052) "C:\Program Files (x86)\e8fdc9ff\jusched.exe"
07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe, PID: 3028, Parent PID: 1860
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | bcf110cb27bd2882_e8fdc9ff |
|---|---|
| Filepath | C:\Program Files (x86)\e8fdc9ff\e8fdc9ff |
| Size | 30.0B |
| Processes | 3028 (07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe) |
| Type | ASCII text, with CRLF line terminators |
| MD5 | d435d449c23559e9e7f1d28a790ca9fa |
| SHA1 | 07710bf1ca951320fba89878f8bf17c7cb38c8c2 |
| SHA256 | bcf110cb27bd288252557a433ad88790f553433bf57b224ae888f231ff45d789 |
| CRC32 | F945EABA |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | dc0cc316f944a907_jusched.exe |
|---|---|
| Filepath | C:\Program Files (x86)\e8fdc9ff\jusched.exe |
| Size | 306.6KB |
| Processes | 3028 (07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 101405f6c71e1ee89203afb06326c60a |
| SHA1 | e7de2d14c906580cf2daf9e25003ba9cfc82064a |
| SHA256 | dc0cc316f944a9071ef23cf0033651a2694aaf929915981ca34f5de469f181dc |
| CRC32 | 540BBBD4 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 691ae5b25b532d8b_update23.job |
|---|---|
| Filepath | C:\Windows\Tasks\Update23.job |
| Size | 258.0B |
| Processes | 3028 (07dbaeaa39fadd04222e70fac6aacf678d63018e3fa7af70459fe9f5e4ff11cc.exe) |
| Type | VAX-order 68k Blit mpx/mux executable |
| MD5 | 1d6b3bc97dd74a6df7b7ff08de9f9138 |
| SHA1 | 71024a3e9560247fb0d731faeecdb5e3236f3d83 |
| SHA256 | 691ae5b25b532d8bea5bc129b902a25a4d05b9126272d86691e61458b4ccc7ba |
| CRC32 | 9537A7BE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.