3.7
中危
DACN
0.15
FACILE
1.00
IMCLNet
0.80
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Trojan-gen | 20200319 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20200319 | 2013.8.14.323 |
| McAfee | W32/Gbot.worm | 20200318 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b3c370 | 20200319 | 1.0.0.1 |
静态指标
动态指标
在文件系统上创建可执行文件
(3 个事件)
| file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exeSiwzg32AD6.exe |
| file | C:\Windows\psmVECNroITr.exe |
| file | C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exe |
创建隐藏或系统文件
(3 个事件)
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\~rgeffere.tmp |
| file | C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exe |
搜索运行中的进程,可能用于识别沙箱规避、代码注入或内存转储的进程
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545317.953875 Process32NextW |
snapshot_handle:
0x0000e288
process_name: 챠ȍ뎏ﳮ裨(DӚ process_identifier: 3036216969 |
failed | 0 | 0 |
重复搜索未找到的进程,您可能希望在分析期间运行一个网络浏览器
(12 个事件)
查询潜在已安装的应用程序
(1 个事件)
可执行文件使用UPX压缩
(2 个事件)
| section | UPX0 | description | 节名称指示UPX | ||||||
| section | UPX1 | description | 节名称指示UPX | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 129.27.9.247 | |||
在 Windows 启动时自我安装以实现自动运行
(3 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ETRUSTCIPE | reg_value | C:\Windows\psmVECNroITr.exe | ||||||
| file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exeSiwzg32AD6.exe | ||||||||
| file | C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exe | ||||||||
创建已知的 Bifrose 文件、注册表项和/或互斥体
(1 个事件)
| mutex | GhostBOT |
创建已知的 GhostBot 文件、注册表项和/或互斥体
(1 个事件)
| mutex | GhostBOT |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 129.27.9.247:6667 |
文件已被 VirusTotal 上 61 个反病毒引擎识别为恶意
(50 out of 61 个事件)
| ALYac | Trojan.GenericKDZ.57908 |
| APEX | Malicious |
| AVG | Win32:Trojan-gen |
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKDZ.57908 |
| AhnLab-V3 | Trojan/Win32.Downloader.C65943 |
| Antiy-AVL | Trojan[Backdoor]/Win32.Gobot |
| Arcabit | Trojan.Generic.DE234 |
| Avast | Win32:Trojan-gen |
| Avira | WORM/Rbot.Gen |
| BitDefender | Trojan.GenericKDZ.57908 |
| BitDefenderTheta | AI:Packer.F8C9D4531E |
| Bkav | W32.AIDetectVM.malware |
| CAT-QuickHeal | Backdoor.GobotPMF.S6936465 |
| CMC | Backdoor.Win32.Gobot!O |
| Comodo | Backdoor.Win32.Gobot.NAD@481f |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.b05cf6 |
| Cylance | Unsafe |
| Cyren | W32/Gobot.G.gen!Eldorado |
| DrWeb | Win32.HLLW.Ghostbot.75 |
| ESET-NOD32 | Win32/Gobot.NAD |
| Emsisoft | Trojan.GenericKDZ.57908 (B) |
| Endgame | malicious (moderate confidence) |
| F-Prot | W32/Gobot.G.gen!Eldorado |
| F-Secure | Worm.WORM/Rbot.Gen |
| FireEye | Generic.mg.8fdc125b05cf6e39 |
| Fortinet | W32/Gobot.ZZ!tr |
| GData | Trojan.GenericKDZ.57908 |
| Ikarus | Backdoor.Win32.Gobot |
| Invincea | heuristic |
| Jiangmin | Backdoor/Gobot.bi |
| K7AntiVirus | Trojan ( 004bcce41 ) |
| K7GW | Trojan ( 004bcce41 ) |
| Kaspersky | Backdoor.Win32.Gobot.a |
| MAX | malware (ai score=88) |
| Malwarebytes | Trojan.AgoBot |
| McAfee | W32/Gbot.worm |
| McAfee-GW-Edition | BehavesLike.Win32.PUPXAX.gm |
| MicroWorld-eScan | Trojan.GenericKDZ.57908 |
| Microsoft | Backdoor:Win32/Gbot |
| NANO-Antivirus | Trojan.Win32.Gobot.vpgvm |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | QVM41.1.Malware.Gen |
| Rising | Backdoor.Gobot.gu (RDMK:cmRtazqSuUw+gCHc+gFcelcI5DPr) |
| Sangfor | Malware |
| SentinelOne | DFI - Malicious PE |
| Sophos | Troj/GBot-I |
| Symantec | W32.Gobot.A |
| Tencent | Malware.Win32.Gencirc.10b3c370 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1992-06-20 06:22:17
PE Imphash
80927cc148d62022a9111445eeada396
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| UPX0 | 0x00001000 | 0x0000f000 | 0x0000f000 | 5.759691529959917 |
| UPX1 | 0x00010000 | 0x00007000 | 0x00006c00 | 2.519424927064359 |
| .rsrc | 0x00017000 | 0x00001000 | 0x00000400 | 2.72260154453552 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_RCDATA | 0x00014068 | 0x00000010 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library KERNEL32.DLL:
• 0x410200 LoadLibraryA
Library KERNEL32.DLL:
• 0x4100c8 GetCurrentThreadId
• 0x4100cc GetLastError
• 0x4100d0 ExitProcess
• 0x4100d4 CreateThread
• 0x4100d8 WriteFile
• 0x4100dc UnhandledExceptionFilter
• 0x4100e0 SetFilePointer
• 0x4100e4 SetEndOfFile
• 0x4100e8 RtlUnwind
• 0x4100ec ReadFile
• 0x4100f0 RaiseException
• 0x4100f4 GetStdHandle
• 0x4100f8 GetFileSize
• 0x4100fc GetSystemTime
• 0x410100 GetFileType
• 0x410104 CreateFileA
• 0x410108 CloseHandle
• 0x41010c GetCommandLineA
• 0x410110 TlsSetValue
• 0x410114 TlsGetValue
• 0x410118 LocalAlloc
• 0x41011c GetModuleHandleA
• 0x410120 GetModuleFileNameA
• 0x410124 FreeLibrary
• 0x410128 HeapFree
• 0x41012c HeapReAlloc
• 0x410130 HeapAlloc
• 0x410134 GetProcessHeap
Library KERNEL32.DLL:
• 0x410174 Sleep
• 0x410178 SetThreadPriority
• 0x41017c SetPriorityClass
• 0x410180 ReadFile
• 0x410184 MoveFileA
• 0x410188 GlobalMemoryStatus
• 0x41018c GetVersionExA
• 0x410190 GetTimeFormatA
• 0x410194 GetTickCount
• 0x410198 GetThreadPriority
• 0x41019c GetTempPathA
• 0x4101a0 GetSystemDirectoryA
• 0x4101a4 GetProcAddress
• 0x4101a8 GetPriorityClass
• 0x4101ac GetModuleHandleA
• 0x4101b0 GetLastError
• 0x4101b4 GetFileSize
• 0x4101b8 GetDiskFreeSpaceA
• 0x4101bc GetDateFormatA
• 0x4101c0 GetCurrentThread
• 0x4101c4 GetCurrentProcess
• 0x4101c8 FindNextFileA
• 0x4101cc FindFirstFileA
• 0x4101d0 FindClose
• 0x4101d4 FileTimeToLocalFileTime
• 0x4101d8 FileTimeToDosDateTime
• 0x4101dc ExitThread
• 0x4101e0 ExitProcess
• 0x4101e4 DeleteFileA
• 0x4101e8 CreateThread
• 0x4101ec CreateProcessA
• 0x4101f0 CreateMutexA
• 0x4101f4 CreateFileA
• 0x4101f8 CopyFileA
Library advapi32.dll:
• 0x410150 RegSetValueExA
• 0x410154 RegQueryValueExA
• 0x410158 RegQueryInfoKeyA
• 0x41015c RegOpenKeyExA
• 0x410160 RegEnumValueA
• 0x410164 RegCreateKeyExA
• 0x410168 RegCloseKey
• 0x41016c GetUserNameA
Library advapi32.dll:
• 0x410208 CloseServiceHandle
• 0x41020c ControlService
• 0x410210 OpenServiceA
• 0x410214 OpenSCManagerA
Library URLMON.DLL:
• 0x410224 URLDownloadToFileA
Library user32.dll:
• 0x41013c CharNextA
Library wsock32.dll:
• 0x41021c shutdown
L!This program must be run under Win32
StringX
TObjectd
TObjectX
System
$PRQP"
gW9tSVW
t1|9,9t:VW
_^SVWU
< v;"u
3C<"u1SX
>3Q<"u8S
< w]_^[
Ek<1fU
Ht Ht.g
6Huv=L
Z3E?E3s
3EE_^[Y]
f=r/f=w)f%f=u
f=v)f=w#j
RPCHPt$
-C GL$
SVWPtl11
-tb+t_$t_xtZXtU0u
FxtHXtCt
~ExC[)A
FuY12_^[
PRQYZXt5x
@~d@PQ@
YXYX
Iu9u_^[
PRQQTj
YZXtpH
S1VWUd
SPRQT$(j
Zd$,1Yd
t=HtN`
r6t0R=
t/=t&,*&"
SVWU$@
^s]_^[
PVS-_^[]
PQIZXSVW
ISVWRP1L
cKuZXu
JzZ_^[X$
thtkFW)w
9uXJt
8uAJt
t7JIt1S
PHZXHI|
St-Xt&J|
t0JN|*9}&~")9~
tVSVWU
t@t1SVW
1Z)_^[
Mu]_^[
USVWME]
3mEE;Et
u5];}}
;EUt]^
MO|"GE
U3Uhp4@
U3Uh5@
U3Uh5@
3U3Uh7@
5[_^U3Uh8@
UE3Uh9@
Ax3RP@
33EF 3RP@
F$3RP@
D]3ZYYd
Ek_^[]
U3Uh9@
PZU3Uh;@
uStrList@
TStrListSVWt
E([Y]SVW
U3UhI=@
TFileNamep=@
TSearchRecX
BFKu_^[
BFKu_^[
USEE3Uh
d0d UEy
33ZYYd
3Uhj?@
d0d UE
EE^[YY]
3URURURURP^
EUE3RPEUM
E3RPEUM
kernel32.dll
GetDiskFreeSpaceExA
uTC,PJSC
U3UhTC@
U3UhC@
d0d -@
U3ZYYd
d0d E}
E)EPEPj
U3ZYYd
E^E_^[]
MU3UhF@
jt`MAE3]K|JC3E@Ej
EFKu3ZYYd
E1E)_^[]
SVWUQ3
UQSVWME
P_^[Y]
UQSVW3EE
U33UhI@
UhSVWUEE3UhJ@
d0d E4hPh
3UhhJ@
d2d"EP
EC<u3ZYYd
E!_^[]S
SV3UhK@
Uh3ZYYd
,^[]USVW3
]]MUfE3Uh[L@
d0d 3EafuNfv
f3ufv:f
EU83ZYYd
UEw3UhON@
EoP39VP
E`_^[]
U3QQQQQQQS
d0d Uf9
ezRm0@
]-W@<@
Eu7)h@
U3Uh=S@
E3UhS@
fv1fv*
ECfu3ZYYd
UEE3UhT@
J3ZYYd
TMMUEEE3Uh
d0d U@
TTE,W@
XEP3ZYYd
~rgeffere.tmp
U3UhmW@
d0d -@
8KG\*DF
EE3UhX@
d0d UE3
f]EPEPj
]3ZYYd
Eg[]UQ+
IuQMSV
UEEE5(@
d0d uh]@
<uO@KL
43#PUX@=t3ZYYd
U3QQQQQSVW3Uh
d0d <E
93ZYYd
U3QQQQQSVEE}3Uh
d0d ES
Hu$uh4`@
fu3ZYYd
S3Uh`@
d0d (@
UXLU(@
U3QQQQQQSV3Uha@
d0d (@
NUXU(@
S3Uhdb@
d0d (@
QUXU(@
U3QQQQQQSV3Uhjc@
d0d (@
d0d (@
w3ZYYd
IuQS3UhZe@
d0d (@
UXeU(@
>uO3hpe@
d0d (@
o3ZYYd
IuQSVW
3Uhsg@
d0d (@
k3ZYYd
S3Uhh@
d0d (@
UX`U(@
S3Uh`i@
d0d (@
U3QQQQQS3Uh2j@
d0d (@
I3ZYYd
U3QQQQQQQ3Uh3k@
U3Uh|k@
USVEE3Uh%l@
d0d h?
VSV3ZYYd
SVW3=@
zZN~I}
43ZYYd
IuQSVUEE
Operation completed!
Can not kill
process!
E PEbPW@
PRIVMSG
U3Uhqs@
U3Uhs@
}3ZYYd
TClientSocket@t@
TClientSocket
uSockets
TServerSocketUSVWt
u$E=P@
fEE'fG
_^[]tcp
U3Euhw@
U3Euhw@
U3E|uhw@
U3UhAy@
U3Uhyy@
U3Uhy@
TWebserverInfo
3Uhhz@
U3QQQQQSVWUEE
d0d Uf"
EPEUEY
lEJfv$f
EvD8\CfuU
23ZYYd
IuQSVWUEEk
d0d U3RU
EU^E8/u
S7HUL@
DX t7@UL@
Ef_^[]
</A> (
U3QQQQQSV]
QEPUfv
Q3ZYYd
uWebServer@
uWebServerUj
Q3ZYYd
Q3ZYYd
EmY]U3Uh@
r3ZYYd
U3Uh%@
U3Uh]@
UEUV`PSLP
EE3Em5@
t3ZYYd
PRIVMSG
ELuQ]v&
MMUEEu3Uh
d0d U0@
EU.3Uh
Download finished!
Error while downloading!
EE(3Uh
d0d E3
x3ZYYd
Execute completed!
UQSVEEO3Uh@
Eh^[Y]
d0d U@
E3ZYYd
IuQSVW3UhU@
d0d jF
EP]jFPhd@
jFzPhp@
Q3ZYYd
dd:MMM:yyyy
HH:mm:ss
MHz, RAM:
MB total,
MB free,
% in use, OS:
, build
). uptime:
m Date:
Time:
HostName:
WinPath:
SystemDir:
win2kpro
127.0.0.1
Ghost-BOT
SV3Uh'@
d0d EP @
IuQS3Uh
d0d E@
PEQPP@
E;PE~PP@
PENPP@
EU`~!h<@
UE_UP@
yUE.UE'Ud@
KHu_h@
PESPP@
PENPP@
Nickname is already in use.
PING :
MODE $NICK +i
MODE $CHAN +nts
PRIVMSG
VERSION
NOTICE
VERSION
login
PRIVMSG
KILLPROCESS
Process name missing!
EXECUTE
File name missing!
DOWNLOAD
DELETE
Delete Completed
Error: Delete!
RECONNECT
RENAME
Rename Completed
Error: Rename!
LISTPROCESSES
Operation Completed!
DISCONNECT
HTTPSERVER
http://
d0d EU@@
/\3ZYYd
~3ZYYd
U3QQQQQQQQSVW5(@
d0d 33
tNU UM
t!ExMEU
<3ZYYd
}x_^[]
U3QQQQQQ3Uh
d0d (@
^EPUf#
NUX~U(@
EPEUEY~EP@
Uk3ZYYd
U3QQQQQQQSVWE3Uh;@
LEPUf#
<UX}U(@
Hfrr@fE3@
EYEZHHu
FfuGfMuE8
@3ZYYd
{tv_^[]
d0d (@
UEYw|(@
Wzu[]U
UUEEi}
{MU{{?
UP{~IP3
~48.t)uh
zf?t3ZYYd
d0d cE
LyEtC{u3ZYYd
d0d t^(@
vPrYY]
v3ZYYd
u3ZYYd
Et5p:s
GhostBOT
|{eamc
y#M_E2#:
(sey<79;9?9;97)PPPPPPPPPPPPPPPpppppppppppJNNJJFVZZ^^ZZVVJJNNJJ66::>BIKIOIKIGY[Y_Y[YGIKIOIKIGy{CAGACAOACAGACA_ACAGACAOACA
tttt||mhu
qa{=pyz+{d`k
faOw`de}wnmyomvOO~VJLHT\HFGpHJ@^ZWJ
X`f~bfrxyEcjpt|
Rf~r}~}{q
cb{q`e&gx|w{beK{lhiysjIESQJKKzRF@DXXLBCl\]AD]SBK
M_j4F~vj|~;Zrr{ES
`|tdr|}sio
~wmyxFws~
sCNLWAKR
&&**..&
Sqj{ypxMwASKMC
Kq{iy|d~
eA}QKEWCFRHv_^L@\VT@@
^tksrpAEQsEQN
Wup{HISG
TplT@NO`LT
BLH@PF@
aIPFEEJH^
sUCQPPV
0UJJAIP[uI^^_KADGWAG\YYd\BKPRLZ2
1+!)*g.&&/)?=
`KHKHF
y_M_ZZ@
eIJH_'ROILF]X"tRF+TM]_[
YV[9_@DOCZ]sSD@AQ[BA]KIRSSbM5/auYDJYYNBTn^]VDXKV\O`P[L3$,$!75":?#()
"&#%127=3
v7?/|0;,
'KI$IM.p^AIDFSAQ
ZGAT^E@
[Bk[LHIYSJI%31*++
0!'.$;>n"5"!23<80x*/9/$-+
'jJVPG_@eDX^PV^
XY_V\CF
Z]JIZ[TPX`27!7<53-$
;>"(&<4!1 BWGAE
wXGl08~l%{zh8w?
UJK0{ml
A\RAAVJ\fVU^LP3.$7
2/),&=8
.;="4<'"0$$164
9$oGZPCOXH^`;hFYQLN[IYaSV#3-0+#2
jdW_NL]O[c
(!1+6)!<
"")!8#q
#%*<4/
;BVPTHH\RS9mwmrox
?NIT_V
n%./=y
yLV6$1VLO
[,-4xTL?yLV6$005UZ2/'/wwh#$%1P4)'1!('.$s152'1wwh#$%72*/3$6.f-&'2
54-+/)-=d/ !&
+2":'/?
??<67!33
yyb)"#BCDEFGHIJKLMNKc7?#W!;'v1.6]j
XD*;!>& MXA@A\ACG@YJLJK^]
`c03'].f+|<26
JZZJKLMFO
|gs;11
WXYHcO
RQA N[\E^L4[Z+!WV*L
`a|[G(TKP/PS%OZ7
defghb
jkl~N#JI7W
a; !&XIWK[NMN_{5
FMMNe;
~3().Pt;8*xyz{|}|}
G@MG^\
FKB]BB><
KEK\58
DEEEYA]
K#\D^BD
O_FIVD][
_QGBA[MO
FSQ\ZF
TVEY[T
@TCZWW
OYY]XVZNP
VNRI^NK
H\HHK[
TJ]]Z[Qt WKZN[Mvhaf
VL[JMax
LRLKmnljpjt ^N[cmlw
HLhvkm
Isdaliw
wd`pgdh
wqppdr
eii`{lx}(fk`zmcjb)trdh
eoe$q{dkbb%ahgj|}!m|{
#imkzgu({~bmjcb
|z|bxj$j
y.z|ldc~.y}qu
zz,|`y{}l#r}sp
|ur*s~rw~r+`rdtfg&}aeqey}
(ucqtlkv5{
vujnzhn7{mjjo6{z{kl<zy~jisx
=mrqpkqss1uunmz
=k{kss?sh
5%+7+7\
- +-\) /0!70T/20'-#$#[2&66 0V/+&-#'>$Z75??0e$2$''i(7:&>./9d0///RY`;$)l'/?99'##l$?4.!!685n'(#+;=><v/" !52&:;;;860.4.o#8<&2AAa/9#(<>3'b(5?7!=6%f>0$6:286.<"JI|?3%T4##7T*)3);<f!*9%$8 )-?f #03'6<.e000$;84<)4x3[6?7.BIy:3(+5693z6.)>4/NLt9/*/?NLw8,+}4:*<.(s5=+?/
888(}+.<
(/}/syz
751'8<"4 =$&(%"#!
ClsTKh`jbpf|f
CXCRHz|}1ELQ:UIm`QBqcuvftI@wkv
CTp{URVQM@UxiECNBry@BZA[[E
Di}UJxyol{bMP||zs
_`docz}PHA
HCFSLml
d|gKFbryu
GXBR^ncbe|fqI_yzq~nB
qD~qWADJBZ
Cmnef~vMG{zzH[vvwy~jvOO
|ww}tIQtxisC(0/
I]CO\}wqxIBvz{klxl*Gadt`}qaIvv}EXspnjTDP|wUCBLvhDC^ZJB
wRxtdzG_siyj
u{rH\|vkttA)
S]AXTXSG]
Txtr~ymui U|}vIl
hh.VzNUCJ
Xyaq|`Xt|pqEMQjJVRFDLX
L~|xt~1N}mEDLjJVRFDLX
[wk~TzIvzrHLDWW
HozwxA+
Byse0vNGM
^|jkLD
mCSCEPz
xJH^_@H
HIOXJTz
wHLQEWy
vCQGWGA\v
tccbf~t
KAOOtccbf~t
dVDHCw}BNJYqnEE]l
iDEUGDOOEL
nG}IhufIIGNouW@_AYGgO
4mFrHkt
]WXQCWlfP[XN\H2fOLudJrkB@X@VGj
6fFX_CCqn^E[e]GCDg
=dKH^BCJTXSlpGSVUN_ZJXL`
8gBO_A\_WFl{SP^[\eclb
z.&.*7-o!h@B@Jsu){D@K_FAlleidh
WEQGSY\PT\cnJP28
h]UTme]GCDgk_VSK_S
5 /!$41>{XTm`A[ix^f{WPbxZ!31!sCSIMjbV@P0uGXQjxBS\Wdq\PW!56"*
5'#/(8={]P@ECJ@e|U\PK s u
jqEYW^dlTF`t=gAWEgn[IObwv
-5- ({SEWfxNNSWQ'
sipgze}
xR]]e}SOal0$''
';9($(
>=72'=33&
YU\dpTXZ
/!/>>iL[PYb
3'-%>n[I_O_Y4
q;yRJTRV: 6*++
t9yP\]T
..<,/oILV+$
-".3-;
>"$*3%
b=p_Y) (jW%
8*'( /w/8.&
,)$($ ,
9<&;4
">,8<%#:*"
:3="$V
'%.")?
<&!#9=
(&#-!".
:!;;?44<)f
$?)? .$8==59
*0909)
9UXYY\
9%9',1=
1!;9:$
93 15)
; $994?5(
"0$$-*
-;):497
#153/58-
RQRQ;=6S
260:6+
#$,<(75)$
:(<(4.
=:(41<06
+3(33;-?.
h ..(5Y\]]
LoadLibraryA
GetCurrentThreadId
GetLastError
ExitProcess
CreateThread
WriteFile
UnhandledExceptionFilter
SetFilePointer
SetEndOfFile
RtlUnwind
ReadFile
RaiseException
GetStdHandle
GetFileSize
GetSystemTime
GetFileType
CreateFileA
CloseHandle
GetCommandLineA
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
GetModuleFileNameA
FreeLibrary
HeapFree
HeapReAlloc
HeapAlloc
GetProcessHeap
SetThreadPriority
SetPriorityClass
ReadFile
MoveFileA
GlobalMemoryStatus
GetVersionExA
GetTimeFormatA
GetTickCount
GetThreadPriority
GetTempPathA
GetSystemDirectoryA
GetProcAddress
GetPriorityClass
GetModuleHandleA
GetLastError
GetFileSize
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThread
GetCurrentProcess
FindNextFileA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitThread
ExitProcess
DeleteFileA
CreateThread
CreateProcessA
CreateMutexA
CreateFileA
CopyFileA
RegSetValueExA
RegQueryValueExA
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumValueA
RegCreateKeyExA
RegCloseKey
GetUserNameA
CloseServiceHandle
ControlService
OpenServiceA
OpenSCManagerA
SysFreeString
SysReAllocStringLen
URLDownloadToFileA
CharNextA
shutdown
.idata
.rdata
P.reloc
P.rsrc
2$i(7:&>
RY$)l99'##l$?4.!!685n'(#+
xv/"5P:;
860. o#8<&2aC/.q<>
b(^=6%i
oo@|%T4T7T*-)3);<f!*9%$8 #?f #
7@6<.e$YV[,&)3[6H.[_y:+5693zI)>vP
-+}4:*7(s5=+D.v
1'z"4 =$&(%6!
CXCRH}1ELQ:
UIQBqcuvftI@w
CTp{URVQM@UxiECNBry@B[[E
_`docz}PHA
KF%Kb4
GXBR^n#
e{qI_;q~nB
~Av^zH[vvw`o
I]CO\}xIBv
Kxl*GaI`laI:o_}EXenjTDwUCBL
wRxtdzG_siy
u{rV| ttA)
S]AXTXSG]*luw@
A{u~pKy
T8r~ymP Uo
0vIhh.VzN`J
XyaqK_Xt|pqEMQTRFDLX
L~|ao3~1N}mE
[Ym{~TzztLD
HozwxA+
BysVvNGM
mCSCEPz
HIOXJ`
waQ/AEWy
_/gBNJYqn]l
iF{UGD"
nG}IhufIIGNouW-@_AYGgO
]WXQCWlfP[XN2fOLudJrkB@X@VGj
6fFX_c^E[e]GCDg
Z{lpGSVUXL
8gB?_WFolSP^[\eclb
z.&.*7-o!h@XJsu
m4){D@Kf.l
WESY\PT\cnJP
h]UTm{k_VS7S
b5/!$41>{
ix^f{WPZ!31!/SIMCV@P0uxBS\WdqcW
#/(8={]P@E@U
YW^dlTFi=gA/gn[bwv
-5- ({SfxQNNSWQ'
p^';9($(
>='=/p33&
Yfdp<Z.6!_
J-%>l_HY4
q;yRgo4: 6)
9yP\]T
.$,/oILV+$
o-".3-;
b=p>)t
bab`>?
v-$"LO
%!#9hP
B-CF& .o$=59
9U_XY/
-*.8:>
#`3/58-
eLKv37
21(2hQ
=#T<06
F[+q;.
?;_xik
M4M8`XvM4
LoadLibraryA%
".UCurrTh
ExitA6m
Unhand
Elmd.)pH
?SM"Poin
E)Of7Rtl:wi9W
aiseH>StdH`
&"U1Siz
Type`m
loSB[("m
TlsValue
`X6ModulGA
;vGbBa+lM
Y8F!m
1FdNexY
4[w$URL
shYd1#
`DATAt}H
d.idXa
X+@Peb
dsrcO@
aDGLjA
KERNEL32.DLL
advapi32.dll
oleaut32.dll
URLMON.DLL
user32.dll
wsock32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
SysFreeString
URLDownloadToFileA
CharNextA
shutdown
a\!A?0oTqU}
nJ=b.k
_-wEQI
-'>&Z{
P[kzh)j
v/5MEh
).eh')Oq
L S>Dz
w8kg\*dfMZ
L!This program cannot be run in DOS mode.
@.PB-PB=PB+P+
PQ|PB>PB,PB(PRichP
`.rdata
@.data
@.reloc
u=EPEPEPSu
r'EP5@
t(Vhe@
u3~ u-~
U8SW=,P@
E;Et+u
^_[UQSVY3
SSSPSv
uRSSSj
PQ4SVW@
N N$N4^U E
+EEEPE
38K Mt#?
HtHt\HtAHt
?t{C$tts(PG
YQ~4YtIv@v<
~$Yt0v0v,E@
8XEt;2
F$F(F,F0F4F8F<F@^VN45N$-^%,Q@
~7jDVI
EPMhv@
EPMt(u
t3h0f@
EPMh w@
SDHDPDKD{D
NDHDMFD
NDHDMFD
uEuuuP
Y^Utl$@
+@PWM<
E<PEPM
EXPE<PE
Mlv4y;v
E\<8\u
YEPEPM
M(ME,E
@E$M<E
E8E8E4D;F
Y_^[Mt3
M(U$f0
N ume(
YE(E(Pu(4
}(IM(t
?YY_^U<
SMMQPh
uBEPEPSuE6
uEPSVE
Y_^UQQE
EEPh*@
qY_^UQQE
EEPh*@
^UQQSV339]
]SVWp@
3QQjt$
W9t/9Q
UQQSV1^
t3h0f@
EPMh w@
^UQQVF
V0MxEPM
W3@_^[
VjSVP5
V0M/uEuuuPv
S3VWM3}f8MMME
u%EPEPEPj
u8EPVj
u%EPEPEPj
3M_3^
;th`p@
r^UQ5@
3Y@[~e
3PuEEd
3PeuEEd
Y__^[]QS\$
Vt$WhD@
EE8csmt
3EEEE;E
YYEEPEPu
YHhlB@
Yj\hx@
f wOf;t
1E3PeuEEEEd
Y__^[]Qt$
8csmu*x
;r_^VWpt@
;r_^%Q@
(;r3_^[Ujh y@
1E3PEd
Y_^[]%Q@
E3E3;u
^_[%Q@
%3F F$F(^Vt$
tD,uW39~$~!S^ Wi
G;~$|[N F
3F0F4F8^VF
N0^RUQQVF
QN00Mj3^
Mt3^xV5t@
5M%,Q@
M(%,Q@
cM%,Q@
J3:8w@
M<%,Q@
MX%,Q@
M$M,u(Y
J3{Tx@
|rdr|\plug_ins\weblink.api
|rdr|\plug_ins\updater.api
|rdr|\plug_ins\spelling.api
|rdr|\plug_ins\sendmail.api
|rdr|\plug_ins\search5.api
|rdr|\plug_ins\search.api
|rdr|\plug_ins\saveasrtf.api
|rdr|\plug_ins\reflow.api
|rdr|\plug_ins\readoutloud.api
|rdr|\plug_ins\ppklite.api
|rdr|\plug_ins\pddom.api
|rdr|\plug_ins\multimedia.api
|rdr|\plug_ins\makeaccessible.api
|rdr|\plug_ins\ia32.api
|rdr|\plug_ins\hls.api
|rdr|\plug_ins\escript.api
|rdr|\plug_ins\ebook.api
|rdr|\plug_ins\dva.api
|rdr|\plug_ins\digsig.api
|rdr|\plug_ins\compare.api
|rdr|\plug_ins\checkers.api
|rdr|\plug_ins\annots.api
|rdr|\plug_ins\acroform.api
|rdr|\plug_ins\accessibility.api
|rdr|\plug_ins\*.*
|rdr|\plug_ins
|rdr|\cooltype.dll
|rdr|\bib.dll
|rdr|\agm.dll
|rdr|\acrord32.exe
|rdr|\acrord32.dll
|rdr|\ace.dll
|cad|\desktop.ini
|cad|\adobe\acrobat\9.0\usercache.bin
|cad|\adobe\acrobat\9.0
|cad|\adobe\acrobat
|cad|\adobe
bad allocation
ADOBE_READLOGGER_CMD:COMMENT:%s
AfterORO
AfterOROConstruct
BeforeORO
map/set<T> too long
invalid map/set<T> iterator
|rdrp|
|acrp|
|ccam|
|ccdc|
|cpfc|
|ccad|
|ccsm|
SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath
SOFTWARE\Adobe\Adobe Acrobat\9.0\InstallPath
TEMP???-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMPqbc-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP??u-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP??-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP???-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP??-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP??-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP???-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMPu-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP???-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP?????-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP????-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP???-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
TEMP-An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
An update to Acrobat or Reader is being installed. Please wait until installation is complete and then try again.
SOFTWARE\Adobe\Adobe Acrobat\9.0\Language
AcroWinMain
HeapSetInformation
RSDS#q
g:\Acro_root_ns\BuildResults\bin\Release\AcroRd32Exe.pdb
GetVersionExW
OutputDebugStringA
IsDebuggerPresent
GetSystemInfo
CloseHandle
UnmapViewOfFile
CreateFileA
VirtualQueryEx
GetCurrentProcess
MapViewOfFile
CreateFileMappingW
GetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
ReadFile
SetFilePointer
GetTempPathA
GetWindowsDirectoryA
GetSystemDirectoryA
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
MultiByteToWideChar
LoadLibraryW
FreeLibrary
GetProcAddress
GetSystemDirectoryW
KERNEL32.dll
MessageBoxW
SendMessageW
FindWindowW
USER32.dll
RegCloseKey
RegQueryValueExW
RegOpenKeyW
RegQueryValueA
RegOpenKeyA
RegQueryValueExA
RegOpenKeyExA
ADVAPI32.dll
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
??$?MDU?$char_traits@D@std@@V?$allocator@D@1@@std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDI@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
MSVCP80.dll
_snprintf
__CxxFrameHandler3
??0exception@std@@QAE@ABQBD@Z
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBDH@Z
??1exception@std@@UAE@XZ
??3@YAXPAX@Z
??0exception@std@@QAE@XZ
_invalid_parameter_noinfo
??2@YAPAXI@Z
_CxxThrowException
??0exception@std@@QAE@ABV01@@Z
??_V@YAXPAX@Z
strchr
strrchr
strcpy
malloc
strlen
strcmp
memcpy_s
wcslen
memset
_stricmp
wcscat_s
MSVCR80.dll
?terminate@@YAXXZ
_unlock
__dllonexit
_encode_pointer
_onexit
_decode_pointer
_amsg_exit
__wgetmainargs
_cexit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_crt_debugger_hook
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_except_handler4_common
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetACP
GetLocaleInfoA
GetThreadLocale
GetVersionExA
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
UnregisterClassA
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVCAtlException@ATL@@
.?AVtype_info@@
DDDDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDDDD@
DDDxDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDD@
DDDGGDDDDDDDDDDDDDDD@
DDDDDDDDDDDDDDD@
DDDDDODDDDDDDDDDDDDD@
DDDDDDHDDDDDDDDDDDHD@
DDDDDDDDDDDDDDDxwDtD@
DDDDDDD
|DDDDGtDD@
DDDDDDDHHwDHDDDDD@
DDDDDDDGDDxwwxDD@
DDDDDDDDDDDDDD@
DDDDDDDD
DDDDDDDDDD@
DDDDDDDDHDLtDDDDDDDD@
DDDDDDDDGDDDDDDDDDD@
DDDDDDDDDDtDDDDDDDDD@
DDDDDDDDD
wDDDDDDDDDD@
DLHDDDDDDDDDD@
tDDDDDDDDDD@
LDDDDDDDD@
DDDDDDD@
DDDDDD@
DDDDD@
||DDD@
DDDDDD@\
DDDDDDDDDDDDDD@
DDDDDDDDDDDDDD@
DDDDDDDDDDDDDD@
DDDDDDDDDDDDDD@
DDDDDDDDDDDD@
DDDDDDDDDDDD@
DDHHtDDDDDDDDD@
DDDwDDDDDDDDD@
DDDGxDDDDDDDDD@
DDDDHtDDDGtD@
DDDDGtDtD@
DDDDDDGtD@
DDDDDODDDDDDD@
DDDDDHttDDDDD@
DDDDDDDDDDDD@
DDDDDD@
|DDDDD@
LDDDD@
DDDDDDDDDDDDDDDDDDDDDDDDxDDDDDDGDDDDDDDHDHDDDHt
xDDDDDDDL
DDDOLDDDDDxD
000000000000000000000000000________{{{{{
///////////////hhhhhhh
tttt0000_
t////////////hhhhh
ttt00{
ZZZZZZZZZZZZZ///////hhhh
ZZZZZZZZZZ//////hhhh
ZZZZZZ/////hhh
0hIIIIII1
ZZZZZZ////hhhhIIIIII
:TdIIIIIIII
ZZZZ////hhh/ &
J:) IIIIII
ZZZZ////t/y7)F
IIIII
UUUUUU
uUUUU IIII
UUUUUU III
UUUU III
888888888<2A(
)) ppIh
*III/I
P1T.?DrW%88%-.
I/I
,vw.?\jM9,
UUZ }}}}}GGGGGGGG}}
GGGGGG
QQQQQQQQQQQQQQQQ}
KKKKKKKKKKKKKKK
KKKKKK############K
KK########
1KKKKK
###CCCCCCCCCCCke####KKK
#CCCCCC
CCT####KK
1qVCCC###KK
~~~~~HHHH~~X"
CCC##KKK
~~~HHHHH!!!!HHO
CCC##KK
~~HHH!!!!!!!!!!V"H#H~~
CCC##KKK
~~HHH!!!!V!!HH~~
CC###KK
~HH!!!BBBBBBBBVm!!!HH~
CC##KK
Q~HH!!!BBB
Vz!!!HH~~
CC###KK
~HH!!BB
B!!HH~~
CC##KK
~HH!!BB
iiiiii
BB!!HH~
CC##KK
~HH!!BB
ii=====ii
B!!HH~
CC##KK
K~HH!!BB
ii=====ii
BB!!!H~~
CC##KK}K~HH!!B
i=====ii
B!!HH~
CC##KKG#
~H!!!BB
ii=====ii
B!!HH~
CC##KKG########KKKKK
rrrrrrrrr"""""""""""?????UUU
FFFbbb
RRrr""U
1111111111mmmm
1111mmm
"F4444T\LM44XXXX
4444XX
,,,,,^43
OOOE&u4X
\$js|.
9+w#hy
i}<3Oo
WWWWWWWWW
fffffffff)`
,,4^HH
]]]]]]]]]fC
]DDD!!!!!!!DIg]]
oe!!!qqqqqqqqq*f!DD]
q!!DD]
YYYYYYY>:
QQq!!D]
YBBB $*8Y
QQq!DD]
YBB ppppp
Qq!DD]
fYBB pp;;
Qq!DD]
HYB p;
dddd0v_;p BY
d5%%%]
]YB p;
d5%tt%5d
;p BY
Qq!DDWD
d5%%%%5d
QQ!!D)!qqqqqqqqqqq!!!!!DDD]
________________PPPPP
88P,--VB%AA
PNN( ]+
9??###UH
MMMMK./4
FFFF:LD?M
RRRM3#F
@$$$X
'',,,,**""
++hh@@""
++YY""
mmDDPP""
##bbCC##
//&&
zzxx66&&
##((,,77MMNNwwiiNN66**
**66[[22
LL[[--!!
**AAxxcc
xx66&&
((66ww]]
22==OO[[--##
ZZxxBB++!!
((AAffhhXX
66jj66((
55yyff66
AAjj66((
**hhLL!!~
MMjjBB++!!
55rr++
MMNN--&&
##MMZZ!!
MM\\66++##
(([[ff!!
@@uu\\66((!!
((ii55
##YY\\66++##
((iiZZ
66ggjjNN--((##
##[[66
AAttjjNN//++&&NNuu""
AAggzz
##55yybb
66gg??####
##**AAxx
""AAssjjOONNMM//----------------((--,,,,,,,,77MMOOoo
++MMtt
==||gg
LLiiLL
""66MMffhhYY66
55666677XXggggggggggggggggggggggffMM6666++
uuNN
NNCC''
NNttMM
ccyy00
44xxNN!!
|$$TTHHJJKKKKhh
EE\\^^
HHMM??
fftt
DD((JJ!!>>xx,,
"O8M"0(]5_
YZV8yger
PA<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Adobe.Reader" type="win32"></assemblyIdentity><description>Adobe Reader 9.0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges></security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
090V0n000000
1&191C1R1X11111111111111
2:2J2Z2`2v2|222222!3<3R33314S4j444444405D5Z5m5555
6-6L6666
70767C7V7f77
8I8k899
::H;;;;
=!=*=?=J=h>|>>>> ?
(0[0q0z0002444
5]55555
6&66666-777+8088888P9s999
;<;^;;;;; <{<<<<<[=i={===
>l>~>>>>G?????
111116
7j7z777777777 858V8\8}88888
9#9*959Y9j9|9999999
:(:D:w::::
;w;;><D<J<P<<<<<<<<<
=J=T=[=a=f=k=p=u={========
>">8>=>F>K>X>i>o>v>>>>>>>(?0?9???G?S?u???????????????
0'0/050A0L0h0n0t0z000000000000000000
1.13191?1U1\1d1i111111142:2D2K2P2o2t22&3+3=3[3o3u333
4>4K4W4_4g4s44444444444
595U5j5q5w5}5555T6{666
747R7777
8F8U8o888888
9;99:::::
;';5;>;m;;;;;;;;
<?<z<<<<<<<<<<
='=,=6=B=L=V=`=j=u=y=
82<2@2D2H2L2P2\2`2
6??????
0111111111111111
2 222222222222
3 3$3,3D3T3X3h3l3p3t3|333333333333
4,4|44444
5,545<5@5H5\5d5x5555555
6 6H6\6l66666666666
7$7,747@7`7d7h7p7777777777777$8,848P8\888888
94989T9X9
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|000000000000000000
101P1T1X1`1d1l1p1x1|1111111111111111111111
2 2$2,20282<2D2H2P2T2\2`2h2l2t2x22222222222222222222222
3 3(3,34383@3D3L3P3X3\3d3h3p3t3|33333333333333333
4$4,444<4D4L4T4\4d4l4t4|44444444
8%a&Z0
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z0\1
VeriSign, Inc.1402
+VeriSign Time Stamping Services Signer - G200
J[/Kk5TX56^bMRQ4q{f
tvJcEG.k
http://ocsp.verisign.com0
,0*0(&$"http://crl.verisign.com/tss-ca.crl0
TSA1-20
89u6t:O7
\y>]r}
,CS}=*:O
4[^I230
Western Cape1
Durbanville1
Thawte1
Thawte Certification1 0
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
30X~k6
R-H=]_
!fXWou<&]
http://ocsp.verisign.com0
:0806420http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op18
'NzaA*^
AZ9xIef8
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority0
040716000000Z
140715235959Z01
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
"'$l8'I
0q(wJQTom
UMm5(k\
c";Bi:
HRHo8l{D
https://www.verisign.com/rpa01
*0(0&$" http://crl.verisign.com/pca3.crl0
Class3CA2048-1-430
Q==d6|h[x
y0wca0_1
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority
J{UdU@IA.
lROuU"Au/cU}
TZY4_^z0
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
060919000000Z
091105235959Z01
California1
San Jose1$0"
Adobe Systems, Incorporated1>0<
5Digital ID Class 3 - Microsoft Software Validation v21
Acrobat Engineering1$0"
Adobe Systems, Incorporated00
[dN.@rFJ
*Ofo[>S},m
9070531/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
Q==d6|h[x
@02 }Y0nf$|Z-CT^
q2lW3xh/
VH%.r*[
KylRRKe(}#
]~2v9zG|y
Pj4"T_D'RW
o?0nWE
VeriSign, Inc.1 0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA
I;[.t\
160420
=8m7+ZpD
`z`L?>
UF;bG(X%
f$3<Oq&Sk
W;Y#~e0Z
Gd}bs
m_l:=T|L
mS}f;/_5Bf&
A�%�A�%�A�%�A�%�A�%�A�%�A�%�A�%�A�%�A�%�A�
A�%�A�%�A�%�A�
@�@�@�@�@�@�@�
D�V�C�L�A�L�
D�V�C�L�A�L�
E�n�a�b�l�e�P�r�e�f�e�t�c�h�e�r�
S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�C�o�n�t�r�o�l�\�S�e�s�s�i�o�n� �M�a�n�a�g�e�r�\�M�e�m�o�r�y� �M�a�n�a�g�e�m�e�n�t�\�P�r�e�f�e�t�c�h�P�a�r�a�m�e�t�e�r�s�
E�n�a�b�l�e�d�
S�o�f�t�w�a�r�e�\�A�d�o�b�e�\�A�c�r�o�b�a�t� �R�e�a�d�e�r�\�9�.�0�\�O�R�O�
D�e�l�e�t�e�
N�o�R�e�m�o�v�e�
F�o�r�c�e�R�e�m�o�v�e�
A�c�r�o�R�d�3�2�.�d�l�l�
\�k�e�r�n�e�l�3�2�.�d�l�l�
A�d�o�b�e�A�c�r�o�b�a�t�S�p�e�e�d�L�a�u�n�c�h�C�m�d�W�n�d�
A�d�o�b�e�R�e�a�d�e�r�S�p�e�e�d�L�a�u�n�c�h�C�m�d�W�n�d�
A�c�r�o�b�a�t� �f�a�i�l�e�d� �t�o� �l�o�a�d� �i�t�s� �C�o�r�e� �D�L�L�
F�a�t�a�l� �E�r�r�o�r�
c�o�m�c�t�l�3�2�.�d�l�l�
A�P�I�_�A�D�O�B�E�_�P�U�B�L�I�C�_�K�E�Y�
T�4�0�5�_�A�D�O�B�E�_�P�U�B�L�I�C�_�K�E�Y�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�4�0�9�0�4�E�4�
C�o�m�p�a�n�y�N�a�m�e�
A�d�o�b�e� �S�y�s�t�e�m�s� �I�n�c�o�r�p�o�r�a�t�e�d�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
A�d�o�b�e� �R�e�a�d�e�r� �9�.�0�
F�i�l�e�V�e�r�s�i�o�n�
9�.�0�.�0�.�2�0�0�8�0�6�1�2�0�0�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �1�9�8�4�-�2�0�0�8� �A�d�o�b�e� �S�y�s�t�e�m�s� �I�n�c�o�r�p�o�r�a�t�e�d� �a�n�d� �i�t�s� �l�i�c�e�n�s�o�r�s�.� �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
P�r�o�d�u�c�t�N�a�m�e�
A�d�o�b�e� �R�e�a�d�e�r�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
9�.�0�.�0�.�2�0�0�8�0�6�1�2�0�0�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
A�c�r�o�R�d�3�2�.�e�x�e�
B�u�i�l�d�I�n�f�o�
0�6�1�2�0�8�n�s�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
L�a�n�g�u�a�g�e�I�n�f�o�
E�n�g�l�i�s�h�N�a�m�e�
E�n�g�l�i�s�h�
L�a�n�g�u�a�g�e�I�d�
F�i�l�e�V�e�r�s�i�o�n�
9�.�0�.�0�.�2�0�0�8�0�6�1�2�0�0�
S�i�g�n�a�t�u�r�e�
<�<�<�O�b�s�o�l�e�t�e�>�>�
0�A�d�o�b�e� �R�e�a�d�e�r� �A�p�p�l�i�c�a�t�i�o�
Process Tree
- 03d04029d1f239dc14900d31fe81088a92d82ff4dbc0ec36b6097a978accbf88.exe (1848) "C:\Users\Administrator\AppData\Local\Temp\03d04029d1f239dc14900d31fe81088a92d82ff4dbc0ec36b6097a978accbf88.exe"
Hosts
| IP |
|---|
| 114.114.114.114 |
| 129.27.9.247 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 4f7ced626f7ddeed_~rgeffere.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\~rgeffere.tmp |
| Size | 30.0KB |
| Type | PE32 executable (console) Intel 80386, for MS Windows |
| MD5 | 61739432482891f2dc5745cca0a67028 |
| SHA1 | 653f119a403f4cda837321080fc08bb7f51b238f |
| SHA256 | 4f7ced626f7ddeeddbbfb242283c30d290532d7c9fd9e093b2234f51800e960d |
| CRC32 | 73B68EF2 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 53a38a407e7288ca_psmvecnroitr.exe |
|---|---|
| Filepath | C:\Windows\psmVECNroITr.exe |
| Size | 431.0KB |
| Processes | 1848 (03d04029d1f239dc14900d31fe81088a92d82ff4dbc0ec36b6097a978accbf88.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 26de3fcf93233873ad1a139d279b03c2 |
| SHA1 | 403dccf550a0719fe33cf721759cb7871ba347ba |
| SHA256 | 53a38a407e7288cab6ecf6841cb5d1fde1760b15dc2c308469d9a25c980ffc4e |
| CRC32 | 28F75487 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a9abe5b78deda854_~rgeffere.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\~rgeffere.tmp |
| Size | 33.5KB |
| Type | PE32+ executable (console) x86-64, for MS Windows |
| MD5 | afb0227374ddf86df2d8c2e4460ba92c |
| SHA1 | f1c76ade438cb46a83961c8c3722d35af8bcdd37 |
| SHA256 | a9abe5b78deda854d09118996b748d6ad3b35da3238fba8660602361e7323eb5 |
| CRC32 | 10C805A3 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 09012f5be6441a3a_qn8f0.exesiwzg32ad6.exe |
|---|---|
| Filepath | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exeSiwzg32AD6.exe |
| Size | 431.0KB |
| Processes | 1848 (03d04029d1f239dc14900d31fe81088a92d82ff4dbc0ec36b6097a978accbf88.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | b8c6e18b8d2612d4b21a448ffb12fdf4 |
| SHA1 | 23379480e3dcc28a87e34bcf1ab8d9d405f4477d |
| SHA256 | 09012f5be6441a3a79c85180f6c027342de5295c1c01c984e7beb175802ce621 |
| CRC32 | 4EA958A1 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 4dc1c7a4547a92a0_qn8f0.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qn8F0.exe |
| Size | 430.6KB |
| Processes | 1848 (03d04029d1f239dc14900d31fe81088a92d82ff4dbc0ec36b6097a978accbf88.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5 | 5bc5b8ef714979d892e5c20007d7bd12 |
| SHA1 | 44b9a94fc9100155a949ff1df013d4ace6c77973 |
| SHA256 | 4dc1c7a4547a92a0ade4549bb29c87d28dbd994e2d853c6fa18628b024001625 |
| CRC32 | 1CF14F69 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 1eba06ec93001087_~rgeffere.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\~rgeffere.tmp |
| Size | 50.0KB |
| Type | PE32 executable (console) Intel 80386, for MS Windows |
| MD5 | 8007508cef6a5b10c24f7971daf00f09 |
| SHA1 | d09b122f4b29d3eaf5da733d35e9c80eb8988fd3 |
| SHA256 | 1eba06ec93001087fdefd0c520ab665a75d295056ef36ed79285960252a59618 |
| CRC32 | C424DA15 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 09796e59bf1fada5_~rgeffere.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\~rgeffere.tmp |
| Size | 62.0KB |
| Type | PE32+ executable (console) x86-64, for MS Windows |
| MD5 | 53f4bcd594cc2a791e16246aed525b6d |
| SHA1 | d2d514875bb827de43a2f8d29298ef2cad4816d1 |
| SHA256 | 09796e59bf1fada5ea7a96c9d8d865da8128dc676b4445e6d8fdbe2ad246884c |
| CRC32 | 91161F61 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.