1.7
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.77
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Malware:Win32/km_2e9600.None | 20190527 | 0.3.0.5 |
| Avast | Win32:Malware-gen | 20240623 | 23.9.8494.0 |
| Baidu | Win32.Trojan.Injector.jm | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_90% (W) | 20231026 | 1.0 |
| Kingsoft | None | 20230906 | None |
| McAfee | GenericRXAA-FA!A92984F71E96 | 20240623 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b576f4 | 20240623 | 1.0.0.1 |
静态指标
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | .vmp0 |
文件包含未知的 PE 资源名称,可能指示打包器
(1 个事件)
| resource name | EXE |
动态指标
在 PE 资源中识别到外语
(1 个事件)
| name | EXE | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000190a8 | size | 0x00038000 | ||||||||||||||||||
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(1 个事件)
| section | {'name': '.vmp0', 'virtual_address': '0x00017000', 'virtual_size': '0x00000cdc', 'size_of_data': '0x00000e00', 'entropy': 7.742289767498694} | entropy | 7.742289767498694 | description | 发现高熵的节 | |||||||||
可执行文件可能是用VMProtect打包的
(1 个事件)
| section | .vmp0 | description | 节名称指示VMProtect | ||||||
网络通信
与未执行 DNS 查询的主机进行通信
(1 个事件)
| host | 114.114.114.114 | |||
文件已被 VirusTotal 上 60 个反病毒引擎识别为恶意
(50 out of 60 个事件)
| ALYac | Gen:Variant.Graftor.285727 |
| APEX | Malicious |
| AVG | Win32:Malware-gen |
| AhnLab-V3 | Trojan/Win32.Injector.R350422 |
| Alibaba | Malware:Win32/km_2e9600.None |
| Antiy-AVL | Trojan/Win32.Injector |
| Arcabit | Trojan.Graftor.D45C1F |
| Avast | Win32:Malware-gen |
| Avira | TR/Hijacker.Gen |
| Baidu | Win32.Trojan.Injector.jm |
| BitDefender | Gen:Variant.Graftor.285727 |
| BitDefenderTheta | Gen:NN.ZexaF.36808.syW@aSyxlScj |
| Bkav | W32.AIDetectMalware |
| ClamAV | Win.Dropper.Tiggre-9845940-0 |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.71e964 |
| Cylance | Unsafe |
| Cynet | Malicious (score: 100) |
| DeepInstinct | MALICIOUS |
| DrWeb | Trojan.Siggen10.7034 |
| ESET-NOD32 | a variant of Win32/Injector.DGXX |
| Elastic | malicious (high confidence) |
| Emsisoft | Gen:Variant.Graftor.285727 (B) |
| F-Secure | Trojan.TR/Hijacker.Gen |
| FireEye | Generic.mg.a92984f71e964e57 |
| Fortinet | W32/Blamon.VHO!tr |
| GData | Win32.Trojan.Agent.WP |
| Detected | |
| Ikarus | Backdoor.Win32.Hupigon |
| Jiangmin | Trojan.Blamon.akh |
| K7AntiVirus | Trojan ( 004fe3c61 ) |
| K7GW | Trojan ( 004fe3c61 ) |
| Kaspersky | HEUR:Trojan.Win32.Blamon.vho |
| Lionic | Trojan.Win32.Blamon.4!c |
| MAX | malware (ai score=83) |
| Malwarebytes | Malware.AI.757049323 |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXAA-FA!A92984F71E96 |
| McAfeeD | ti!1CECCF3F9950 |
| MicroWorld-eScan | Gen:Variant.Graftor.285727 |
| Microsoft | Trojan:Win32/Wacatac.B!ml |
| NANO-Antivirus | Trojan.Win32.Hijacker.guassz |
| Paloalto | generic.ml |
| Panda | Trj/Genetic.gen |
| Rising | Backdoor.Agent!1.C842 (CLASSIC) |
| Sangfor | Trojan.Win32.Save.BlackMoon |
| SentinelOne | Static AI - Malicious PE |
| Skyhigh | BehavesLike.Win32.Generic.dh |
| Sophos | Mal/Generic-R |
| Symantec | ML.Attribute.HighConfidence |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
1970-01-01 14:04:03
PE Imphash
ee72eda9e6cf9ab7f97b629e49c3f415
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x0000bb63 | 0x0000bc00 | 6.587994195998012 |
| .rdata | 0x0000d000 | 0x000039f6 | 0x00003a00 | 5.192112198529038 |
| .data | 0x00011000 | 0x00005ba8 | 0x00001200 | 2.4337171308933376 |
| .vmp0 | 0x00017000 | 0x00000cdc | 0x00000e00 | 7.742289767498694 |
| .reloc | 0x00018000 | 0x00000bf6 | 0x00000c00 | 6.60367589066079 |
| .rsrc | 0x00019000 | 0x000383e4 | 0x00038400 | 6.074823861971139 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| EXE | 0x000190a8 | 0x00038000 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_MANIFEST | 0x000510a8 | 0x00000165 | LANG_ENGLISH | SUBLANG_ENGLISH_US | None |
Imports
Library KERNEL32.dll:
• 0x40d02c Sleep
• 0x40d030 CreateProcessA
• 0x40d034 GetProcAddress
• 0x40d038 LoadLibraryA
• 0x40d03c GetModuleHandleA
• 0x40d040 HeapAlloc
• 0x40d044 HeapFree
• 0x40d048 GetProcessHeap
• 0x40d04c GetComputerNameA
• 0x40d050 SetLastError
• 0x40d054 TerminateProcess
• 0x40d058 FreeLibrary
• 0x40d05c Process32First
• 0x40d060 Process32Next
• 0x40d064 CreateToolhelp32Snapshot
• 0x40d068 GetVersionExA
• 0x40d06c GetModuleFileNameA
• 0x40d070 lstrcatA
• 0x40d074 GetEnvironmentVariableA
• 0x40d078 GetShortPathNameA
• 0x40d07c lstrcpyA
• 0x40d080 CreateFileA
• 0x40d084 FindResourceA
• 0x40d088 SetFilePointer
• 0x40d08c FreeResource
• 0x40d090 LoadResource
• 0x40d094 GetWindowsDirectoryA
• 0x40d098 WriteFile
• 0x40d09c SizeofResource
• 0x40d0a0 LockResource
• 0x40d0a4 SetEnvironmentVariableA
• 0x40d0a8 CreateMutexA
• 0x40d0ac HeapReAlloc
• 0x40d0b0 GetTickCount
• 0x40d0b4 SetStdHandle
• 0x40d0b8 WriteConsoleW
• 0x40d0bc LoadLibraryW
• 0x40d0c0 HeapSize
• 0x40d0c4 GetSystemTimeAsFileTime
• 0x40d0c8 QueryPerformanceCounter
• 0x40d0cc GetEnvironmentStringsW
• 0x40d0d0 FreeEnvironmentStringsW
• 0x40d0d4 FlushFileBuffers
• 0x40d0d8 GetCurrentProcessId
• 0x40d0dc CloseHandle
• 0x40d0e0 CreateFileMappingA
• 0x40d0e4 GetLastError
• 0x40d0e8 OpenProcess
• 0x40d0ec GetProcessTimes
• 0x40d0f0 LCMapStringW
• 0x40d0f4 IsValidCodePage
• 0x40d0f8 GetOEMCP
• 0x40d0fc GetACP
• 0x40d100 GetCPInfo
• 0x40d104 GetConsoleMode
• 0x40d108 GetConsoleCP
• 0x40d10c DeleteCriticalSection
• 0x40d110 GetStartupInfoW
• 0x40d114 GetFileType
• 0x40d118 SetHandleCount
• 0x40d11c RtlUnwind
• 0x40d120 InitializeCriticalSectionAndSpinCount
• 0x40d124 LeaveCriticalSection
• 0x40d128 EnterCriticalSection
• 0x40d12c CreateFileW
• 0x40d130 InterlockedDecrement
• 0x40d134 GetCurrentThreadId
• 0x40d138 InterlockedIncrement
• 0x40d13c TlsFree
• 0x40d140 TlsSetValue
• 0x40d144 TlsGetValue
• 0x40d148 TlsAlloc
• 0x40d14c GetModuleFileNameW
• 0x40d150 GetStdHandle
• 0x40d154 ExitProcess
• 0x40d158 GetModuleHandleW
• 0x40d15c HeapCreate
• 0x40d160 IsProcessorFeaturePresent
• 0x40d164 IsDebuggerPresent
• 0x40d168 GetCurrentProcess
• 0x40d16c UnmapViewOfFile
• 0x40d170 MapViewOfFile
• 0x40d174 MultiByteToWideChar
• 0x40d178 GetStringTypeW
• 0x40d17c WideCharToMultiByte
• 0x40d180 SetUnhandledExceptionFilter
• 0x40d184 UnhandledExceptionFilter
• 0x40d188 RaiseException
• 0x40d18c HeapSetInformation
• 0x40d190 GetCommandLineA
• 0x40d194 EncodePointer
• 0x40d198 DecodePointer
Library ADVAPI32.dll:
• 0x40d000 CreateProcessAsUserA
• 0x40d004 RegEnumKeyExA
• 0x40d008 RegOpenKeyExA
• 0x40d00c RegQueryInfoKeyA
• 0x40d010 RegCloseKey
• 0x40d014 RegQueryValueExA
Library SHELL32.dll:
• 0x40d1a0 ShellExecuteA
Library ole32.dll:
• 0x40d1d0 CoCreateGuid
Library WS2_32.dll:
• 0x40d1b4 gethostbyname
• 0x40d1b8 inet_addr
• 0x40d1bc WSAStartup
• 0x40d1c0 inet_ntoa
• 0x40d1c4 gethostname
• 0x40d1c8 WSACleanup
Library IPHLPAPI.DLL:
• 0x40d01c GetIpAddrTable
• 0x40d020 GetPerAdapterInfo
• 0x40d024 GetAdaptersInfo
L!This program cannot be run in DOS mode.
AQm ?> ?> ?>
4> ?>tn> ?>V> ?>V> ?>V> ?>X> ?> >>P ?>V> ?>> ?>V> ?>Rich ?>
`.rdata
@.data
`.reloc
@.rsrc
_Ujhp@
u(EPME
>2# f;D
^U VW3;w
3_^]9>
}}}}}}}}
KUREPMQURW
|tuuuu
FEPQREPV
@;<,#_
VE_^[]UQSW3h
uj9 vfVw
; r^Wj
]tgURSV
u`RPQSh@
VSSSSSSSRSSSP
SSSSRPVQ
PQRShX@
QRPShl@
SVW\Rh
3_^[M3,
ESVWPEd
9]t*;t
Y_^[M3d
hWP`d\m
u9\x<RdP`QK
;t7\RdQ`RV
ESVWh$
]UpSVW<
EEEEEPQj
_^[]V3V
t$(D$<
T$8PD$8QRPh0@
|$XD$T;t
|$TD$P;t
|$PD$HD$D`@
EPSQWE
UQVWh@
P 7d| @wHG-%f
AhN@+$UW_
3PD$xd
RVWPG\$$
u{jDD$0j
RD$ D$$D$(D$,D$0PVQQQQQWQD$TD
t T$ L$
\$$RD$
Y_^[]3L$xd
ESVW3h
p;|75<\t
Ny#VPh
M_^33[
]UQV3;
*<0|&A
^]3^]UVF
DDDDDDDDDDDDDD
woVW=#A
U SW3j
3Y}]9]
;tVEEE
u$EPSR K
f;u,ft<U
E`p3^_[
:t3^[_-
B:t6t:t't
rustnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@FA;r3^[
W>+~,WPV
Y/V|Yt
Y}3u;5kA
YY3BU`[A
F3u`[A
U SW3j
3Y}]9]
YY^_[UW}
tJ2t#2t
E`p3rSWP%
E`p3_[^
3_^]5+A
tAt2t$
FGIuX^_]
UQSV5@
;r>PuH
ffffffE
3PPPPP
V!VRVI>
YYuTVWh=@
3]j h@
VSf*&A
3PPPPP
@Y<v*V
^SSSSSyj
;tFtA3
M_^3[>j
Flvl5,
YYt:V5
PwYF4t
PiYF<t
P[YF@t
PMYFDt
P?YFHt
P1YF\=@
~lt#W'+
43_V54@
YYt0V5
QPvYYu
ItUhtDlt
HHtXHHt
4itqnt(o
t-RPSW<
0@?If90t
;u+(;u
u'~! OFt
`pM_^3[
|_3^b=#A
1E3PeuEEEEd
Y__^[]Q
:E_^[]E
9csmu)=h@
URPQQhPo@
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
j@j ^V
H3H/5`ZA
;rSWf9M
j@j {(
W34809}
!@l39H
4 3,9E
P4UM`8
DQP C@
,PVEP$
3+4H;M
(PVHP$
(PVHP$
r3VVhU
QH++PPVh
(P+P5P$
\,+48;E
0?DY1$
8+0[M_3^pj
DDDDDDDDDDDDDD
YtP`ZA
WPWPWv
j #Ywj
8]tEMap<u
TM_^3[|j
PZY^hS=8@
USV58@
3W;to=
t4V0;t(W8jYt
Fpt"~l
lVYYYEE
S3VW;~ E
@;u+H;}
39](SSu
]9]tWuu
};~Bj3X
3;t?uWuuu
t"SS9] u
EYe_^[M3
MEu(Eu$u u
;t_+^]
VSMYY1+W
Map^[j
VW3X*A
F$|3@_^
EPQEPEj
@Gt!Ju
E`pjPX
j"^0V}
E`p3_^[
8csmu*x
S^`N`H
j$Y~\d9
QY^`[_^]
S3V>=YX
t?VSP[
3Y[_^5#A
3PPPPP
FA>\t>"u&
uUEPSS}
=?sJMsB
Y;t)UEP
3wf93t
f90uW=|@
VVV+V@PSVVE
E;t8P/
YE;t*VVuPuSVV
E3E3;u
YYu,9E
Y+t"+t
+tY+uC
Uw\]Yp
u>OdMGd
u wdSUY
B(;r3_^[]
1E3PEd
t?P5$-A
3M_^3[B
^0g_^]
ft'Ou"+
jPfDJXdf
EU_^j
f;v6;t
Map_^[;t&;w hj"^0
8]tE`py
<E`p0M
YY]VD$
_};=kA
4!Y`[A
YUSVWUj
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
UQ=0 A
PYYt}E
E`p;39]
S3VW;|[;
t6<0t0=
ES3VW]9]
39] SSu
ESEYe_^[M3
vL~vPvvTnvXfv\^v`VvdNvhFvl>vp6vt.vx&v|
PyYF0;
PgYv4;5
P{YFH;
PiYvL;5
VWY^]QL$
RQMQVp
UV3PPPPPPPPU
S3VW9]
3_^[];t
B:t"Ou
UV3PPPPPPPPU
$sF ^f
Y3MW0u
eY3PPj
L_^][_^]3[
$UQQSVWd5
SVWE3PPPuu
E_^[E]
UQSVW}
QRgYYt
t3@_^]
=RCCt =MOCt
=csmu*
8csmu8x
t*9csmu"A
EPYYE1
>csmuB~
YYtaSV
_YYPVVv
YYt)SVQ
Ht Hu4j
SxEI3@
=MOCt*=RCCt#u$u u
EPEPVu WM
ESx;7|G;p
@u%u$u
E;Mr[_^
Y9>u&~
Yu\39 ~
EPEPuu WVM
EGE~rF
.u$}u ]uE
u$u uSu
tR99u2y
u$Vu u
Q 3@_^[]U
mVW_^]M
3PeuEEd
J3gmh@
BJ3<m@
EF0cT$
xmVM2GjxnLaHyuym
mR AqJ
RCr&KKb
:t(#K$j
x<wB#K+3
G=|R}%"
l]h(?1
Unknown exception
bad allocation
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
(null)
`h````
xpxxxx
`h`hhh
xppwpp
UTF-16LE
UNICODE
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__eabi
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
invalid string position
string too long
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
>?456789:;<=
!"#$%&'()*+,-./0123^i/
Global\System-Protect-PIDList
explorer.exe
%02X%02X%02X%02X%02X%02X
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
PnpInstanceID
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
NetCfgInstanceId
Characteristics
%02X-%02X-%02X-%02X-%02X-%02X
ntdll.dll
RtlGetNtVersionNumbers
InitializeProcThreadAttributeList
Kernel32.dll
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
%08X%04X%04x%02X%02X%02X%02X%02X%02X%02X%02X
168@*A*%99mm#;~(cacdK+=|cda-2cacd==
cmd /c ping 127.0.0.1 &&cmd /c del "
" >> NUL
ComSpec
param:
84v,a-n
XTYPE-SYSTEM-YJSNEWCLIENT
param:
bad exception
WideCharToMultiByte
MultiByteToWideChar
MapViewOfFile
UnmapViewOfFile
GetCurrentProcess
GetProcessTimes
OpenProcess
GetLastError
CreateFileMappingA
CloseHandle
GetCurrentProcessId
GetTickCount
CreateProcessA
GetProcAddress
LoadLibraryA
GetModuleHandleA
HeapAlloc
HeapFree
GetProcessHeap
GetComputerNameA
SetLastError
TerminateProcess
FreeLibrary
Process32First
Process32Next
CreateToolhelp32Snapshot
GetVersionExA
GetModuleFileNameA
lstrcatA
GetEnvironmentVariableA
GetShortPathNameA
lstrcpyA
CreateFileA
FindResourceA
SetFilePointer
FreeResource
LoadResource
GetWindowsDirectoryA
WriteFile
SizeofResource
LockResource
SetEnvironmentVariableA
CreateMutexA
KERNEL32.dll
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegCloseKey
CreateProcessAsUserA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
CoCreateGuid
ole32.dll
WS2_32.dll
GetAdaptersInfo
GetIpAddrTable
GetPerAdapterInfo
IPHLPAPI.DLL
DecodePointer
EncodePointer
GetCommandLineA
HeapSetInformation
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
GetModuleHandleW
ExitProcess
GetStdHandle
GetModuleFileNameW
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
RtlUnwind
SetHandleCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
FlushFileBuffers
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetSystemTimeAsFileTime
HeapSize
LoadLibraryW
WriteConsoleW
SetStdHandle
GetStringTypeW
HeapReAlloc
CreateFileW
rCr*c*Z<6
TJYa]/
l?e1thH
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVexception@std@@
.?AVbad_alloc@std@@
DELETE
CONNECT
DELETE
CONNECT
.?AVCThread@@
.?AVCShellExeThread@@
.?AVbad_exception@std@@
7*>)f;3f#
98f[dW/hhb&
5 ~;x`PdRj
98n;kW*hhb
.7g&iPd^i
7qtFf*
tj8x}G
98a{[g%hhb
+kx3f6s!k_
;H&oPduk
98jiW!hhb
.r8fFb#%g
Z/i0oPdo
98m+`"hhb
';XsfbC)j5etv_
7g&oPd]l
f{k7$hhb
!a8fB.e5Rs4_
+o(h?n<7FbPdol
NC$r]Z
98`;Kc"hhbF
Cfs/nE
yn6&nPdgi
_.('z8XWkPd
}}N@e$PT
uA#J8`l
1NO$]Q
P gcSfprH>+m
7 '}u1
NAQ$EP[
g;b/hhbf
&SfF"au
fCO.T"oLo8h`Pd
3sP hH
crFTM]/c!
i|]}yIxNI8$
98m{;b
ff23/eojq
I~=dPdg
S<aBP widfxL@ }"n
LM}pYXNF$_Q
IP 7kxy~0~M b
qNH&$n][
EP Wlrq
w|]}x1N@*$t^^
sjN9 lc
!X6.`~
dZH@E'
00R11+222-383Z324=4a4r44
5B5|55555
666666
8-8Y8h8u8~888888888H9b9i9999I:T:[:
;[;;;;;:<J<^<<!=~====
>>>z>>>>
?G?f?u??
V000000000000
1 1(10171111111102^23333
42494p5t5x5|5555555555!6d6666666666u777
8!868P8V8w8888999::::
< <9<X<<&=2=N=o=====
>4>D>P>o>}>>>>>>
1.1j1{11222222'3.3j3333-4-555
6=6H6d66666
8j888888888 9=9D9H9L9P9T9X9\9`999999":-:H:O:T:X:\:}:::::::::::F;L;P;T;X;;0<6<;<C<S<]<c<w<j=p======M???
0W6z6666::::::
;*;2;=;;;;;;;;Y<<<<<<<<<<<<<<<<<
=!='=1=:=E=Q=V=f=k=q=w===2?7?A?a?f?
B0I0Q00000
1"1{111112222
3P3l3333333
4*444444444
5'525L5W5_5o5u555555
7P7h7r7777777708M888888
9#9,989>9F9L9X9^9k9u9{99999":(:R:X:^:t:::,;O;Y;;;;;;
<%<+<3<:<?<G<P<\<a<f<l<p<v<{<<<<<<<<<<<<<<<<
="=(=@=]>d>p?
0&0L0000$4
5_66668::::
;1;@;M;Y;i;p;
;;;;;;;;!<T<c<l<<<<<B=
>$><>W>>>>?
!0G0M0w0000 1)1T1l11111
2A2G2223344!56i798j8888}999z::::::::
;/;M;T;X;\;`;d;h;l;p;;;;;;2<=<X<_<d<h<l<<<<<<<<
=V=\=`=d=h==
>'>P>>>???
h1y1111111 2*242M2W2j2222
3}333R4q444
525:5B5Y5r55555555
6/6{66
7f7)8W88883999j::;<<<(=2==========
>*>0>9>L>p>>
0e222222Q4`444444
5666666j7p777
8 8A8F8l888888888
9 9)959l9u99999
:g:r:x:::::::::
;Y;^;;;;;;;;$<-<3<<<<<======E>h>s>y>>>>>>>>>>>>>>>
?I?c?}?
1#1)11111
3A3S3^3r44555
6&6+696|666e7
7777788^9q9999$:=:Y::::::
;+;;?????
0/0A0S0e0w00000000]5c5m5555$6<6e6k6p6v66
9'9,9;;;;<=>0?
0K2z5555749999+:F:Q:U:Z:
2 2$2(2,2024282<2@2D2\2`2d2h2l222T;\;d;l;t;|;;;;;;;;;;;;;;;;;
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|888888888888888888888888888888888
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|999999
L6P6T6\6`6d6h6l6p6t6666666666666
7 70747D7H7L7P7X7p77777777777777
8(8,848L8P8h8x8|888888888888
9,9D9X9`9h9p9t9x99999999999
:4:8:X:x::::::
;(;H;h;;;;;;
<(<D<H<h<<<<<<<<<<<,=<=P=d=p=x========0>8><>T>X>h>>>>>>>>>
? ?(?0?4?<?P?
0 0@0`0
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;;;;;
<(<,<0<4<8<`=t>x>|>>>>>>>>>>>>>>>>>>>>>>>>
?@?\?x???
Q0l0,5Z8;O
R4)G]9ybp-d(/4K>
L!This program cannot be run in DOS mode.
`.rdata
@.data
P;@P:&
fEm}mEU]U<
UE'Eeu
P]@P\
P<@P;
LEEP]t
LEEP]t
LEEP]t
LEEP]t
LEEP]t
LEEP]t
PDX+QSP
Y^Y_^I
XE]3PEXAQS
]SQEHy
LEEP]t
LEEP]t
XEEPu-
t*SW37%
EeuEPhD
uEPEPu7
EPEP07
EE]EE]eE]e]E
]]3]3uu
]]3]3uu
]]3]3uu
]]3]3uu
]]3]3uu
]]3]3uu8
]]3]3uuU
]]3]3uup
]3]3uuEPy]t
]3]3uuEP]t
]3]3uuEP]t
EPEEP]t
(EEP]S
XE]3PEXAQS
]SQEHy
]3]3]3h
]3]3]3h
]3]3uu
]3]3uu
uEPEP,
uEPEP0
(EEP]S
]3]3uuEPI]t
]3]3uuEP6]t
]3]3uuEP#]t
]3]3uuEP
EEPEPB
,]uuEPuEP
XE]*3PEXAQS
]SQEHy
XE]I3PEXAQS
P1e@P0
EP|EEP]t
EPEEP]t
P]a@P\
P-[@P,
]3]3]3h
PuY@Pt
]3]3]3h,
EP]38V
EP]3cU
]3]3uu
]3]3uu
]3]3uuEP
]3]3uuEPY]t
]3]3uuEP
]3]3uuEPx]t
]3]3uuEP]t
P;D@P:v
]3]3uu
]3]3uu
EPmEEP]t
]3]3uu
]3]3uu
]3]3uu
]3]3uu
]3]3uu
]3]3uu
EPgeEEP]t
]3]3uu
]3]3uu
]3]3uu
]3]3uu
]3]3uu
]3]3uu
uRFGHt
t+t'NW:u
;uH_^Ul
Iu[[hH
VSQ]H]
P/ @P.Q
e],3EPhD
EPEO&P]3
]3]3]3
EP]3uu]3
]EE]E]E E][
3PEXAQS
??SQE]E%
]EC Hy
]eEPh(
P]S}SWj
XEeuuEPh(
]S}SWj
EEP]3uEX
EeEPu]3E
EE3AQP;
EUEu]E4
4EEP]t
LEEP]t
EP+EEP]t
EP#EEP]t
]VWS_[_^VWS5[_^U
(EEP]S
3PEXAQS
(EEP]S
3PEXAQS
Y^_^VWPr
Y^Y_^I
X_^VWP
Y^Y_^I
3PEXAQS
3PEXAQS
3PEXAQS
3PEXAQS
Y^_^VWP
Y^Y_^I
X_^VWP
Y^Y_^I
3PEXAQS
]3hl#C
3PEXAQS
]]3hq#C
3PEXAQS
]3hl#C
SSQEHy
43PEXAQS
|SQEHy
ESQEHy
]3hq#C
^PVWP{X+QSP
PVWQPh
Y^_^VWP
Y^Y_^I
X_^VWPX+QSP
Y^Y_^I
X_^XY_^I
3;wO;5xzC
E33MEfMEE
MRMPQU
F;r[_^]
EUM_^]
+;E|w;~s}
uSEVPU
EUM[_^]
(S\$4UVW3|$L3I
_^][(;
|$X3|$
t$dD$xu
T$LURVL
L$$+PW.
r];sYT$LURV^
L$$+PW7.
QPL$, .
rL$@D$ +;
L$$PW-
L$4|$,Q
L$$D$$B
_^][(Sx*
W3ItLL$
VW3|$$I
5t(D$<
*t.;w"T$$WRV\
F;v_^][;wD$$WPV
F;v_^][
_+^]@[
Wui%=
t-t)AQ|
W3It4D$ ~,;}
^[_^3[
v*SW,V
F;r[_^]
3IPSD$
G:u< t
t$(<"uIG
Fu+RWl
|$T|$XD$D
t>L$|A
w2$|XA
f|$H+fD$H
RPWWWj
;t'9|$pt
UVW3l$$I
D$<t ;r
t-N;s_^][;rWUV
N;s_^][
_+^]@[
PQL$$Q
SUVt$0Wu
\$(~GS(
|$@|$$G
3I~*T$
tq|$$D$ L$0@
;D$ |$$
tI\$(D$
L$(PQjj
R03l$ t$
|$@H|$0D$$G
|$0D$$
H|$0D$$ul$ t$
SUVW$\
\t.<)C
_^]3[H
3^W3I_u
S\$(UVW3|$
IIt$4L$
3u8+QP9
T$4t)IL$
L$4CIL$4L$4CIL$49l$4}8
t$(D$
T$(QL$
L$$PD$
L$$T$ D$
T$0QL$
L$$T$ D$
L$,PD$
L$$T$ D$
w $<fA
3tESL$
SUVWtjl$(tbB
@;v_^][Y_+^]@[Y
;u2L$D;u
L$LU3;V|$
WwktZ=
ugD$DD$
l$D3ID$
T$ ID$
F|$ T$$L$
SUVWP/
u0D$Ht2T$@t*3IQR-
l$@L$(
D$$SWVURP
VW3ItK\$0~Ct$$~;;
][_^]3[
SU;WD$
|$8|$ G
3I~*T$
~{|$8H|$(D$ G
|$(D$
H|$(D$ uD$
t8j\h{C
t@_^]3[
PD$0hP)C
uIWUT$
t6SW3I
Fd;r,d
3_]WPQE
A+EYX_E_]
SVD$,WPQR
\$4D$(L$
PD$<T$$QL$<RPQM
T$@D$8RT$XL$HPD$XQRP
u0|$83$
D$ RT$
QL$ RT$0PQM
0D$@S\$8U
D$PD$TD$P
D$PD$X
_l$D^D$@][0
H3I|$P
D$ D$(D$,D$4D$<
T$$T$0T$8
uDT$H3JL$
|F_t$D^D$@][0
_Ft$D^D$@][0
QL$<;t!
H}N_t$D^D$@][0
Nt$D^D$@][0
D$ D$(D$,D$4D$<T$
T$$T$0T$8
L$DT$H@
D$@L$D
_YSUVj
D$$h8*C
L$,Sh<)C
3IL$0i
L$$PQh
SUVWL$
03T$8I
|$HIL$
|$DIL$
I;s_L$DWQV
+PUD$Ht
_^]3[L$ d
L$,|$$
+D$8D$
L$0_^]
t9SW3IP
t9SW3IP
QMT$ RF
F V$$(
D$ fL$
?PQfT$
G0t.|$
F0t*D$
D$ u0_^][Y
SUVt$$W|$,V N
D$,F0T$(V4L$
D$(L$,F ^
WVQR33
L$DN0T$@V4
D$,L$(
L$(D$0
D$(D$(+
L$(D$0
D$,L$(
D$(D$(+
s F,+L$
F(;rL$
u F0N(;t
ugV4T$0RWV
V4D$<F0
u"N(D$ ;t
AH;N,L$
u F0N(;t
ugV4T$0RWVBV4D$<F0
u"N(D$ ;t
L$(D$,N ^
V4T$0RWVB
L$(D$,N ^
D$(L$,F ^
L$0QWVV4
AML$,V4T$0RWVV4N0
;t7L$(^
N L$, O
L$(D$,N ^
D$(L$,F ^
G(RPW$
F4F0F8F
W(VRW$
N$W(QRW$G(VPW$
WVF,N8
4S\$<UVt$HK k
C4W>;|$
D$Ht$L|$
D$(VL$0PT$8QD$@RPT
L$<T$@D$DVQL$PRPQ(C
G D$H|$
;u#C0K(;t
uyL$PD$
QVSC4JK0D$\C4
T$ u,C(T$$;t
D$Hr%?
N(PQV L$T
G;D$Hr
;T$8s;L$
L$8D$P
G;D$Hr
@LT$ JT$ uC
VQT$DL$HRQT$4L$0RS
T$<D$@L$$VRT$(PQR
N(PQV$
C K4>V
T$PRVSC4
V(QRV$D$PL$
D$PPV>SS4e
V(QRV$D$PL$
D$$>SC4
V(QRV$
QVSC4WK4S0
t;T$HL$
VWG(N(PQV$W$F(RPV$N(WQV$$3_^
|$T|$X|$\|$`|$d|$h|$l|$p|$t|$x|$|$
lTDTEJ(u9t$Tu $(
9:_^]3[
D$X+l$
;u;T$,v
\T+3x%A
T+t$Dy
|$@|$<
t$4PLTT$ L$(T$(
;v+l$$+l$(
D$@|$L
t>|$8D$
t$@L$0
T$LD$1+
`T$0 +$$
;D$<s!L$@
;D$<rL$
|$8M#;t l$
M#;uT$
HD$$D$
L$(T$
@L$(L$,B;D$
QSW|$ j
SQL$ RUPj
W(SRW$
QS\$,UVC(Wj
T$4D$$l$
WQL$4RT$,PQh@B
T$4D$(L$
WQL$8RT$(PD$0Qh4B
RQ(u$T$(:
w[C(WPS$
3_^][Y
u K(WQC
K(WQS$
S(WRS$
D$,L$(SU(@
Q Vq0Wy4D$
L$ t$4#3
L$,++t$
+l$8](;sYm,l$(+
;rl$(+;v!+
GFMut$8v(
GFIul$
GFIul$
GFIul$
r3L$<\$
+t$,\$,
\$8+S
{4_^]3[
tVt$<\$
\$8+S
+t$,\$,
t$,\$8+S
{4_^][
3ANu^[
t1N$t*@
N(PQV$
~(9~$u
D$ _^]
T$ _^]
u\L$ Qj
uFGH|*<0Pu
3|$$l$ V3
t!UWVn
D$$PVp
D$$;uW9l$
uKD$@PVy
u9L$DQVg
u'T$(RV
L$@T$D
|$@D$03$
XSW|$d3
D$ PQv
D$ T$HRP
L$,QRP
D$(PQ9
T$,RP"
L$<QRv
D$@PQ_
L$xt:T$|;s
tjD$<$
t!L$lj
D$<v*v&D$l$
toD$@$
D$@v0$
u!|$pt
V(QRVF
F(RPV$3
VQWT$8SR
D$ PQ)
G4L$ ;u
L$ G<;t
L$ G@;t
L$ GD;t
D$ L$$
^@W4O<3;
NT^PW4Vd
^$P^(^,u
O@NXWDV\G0$
NlUl$ ^p
FtgE#N|FxxV4t
EuWxD$
3N<w|_^[
SUVW3;
NhF<V`
V<NXFl.
/G;rF|N
FPWRPYn\^
u]D$(tU
WURn\\$$FPD$(
tPtLucF
FPNT;t
;u#;t#$
D$LRPQ"T$0D$@R
L$XPQR
D$|t$H
D$XL$LT$T(
T$,L$0T$(QRD$0
D$0L$4
Au;t8V+
_^]3[@
_^]3[@
3_^][@
3_^][@
T$ WRi
thVt$,;;C
L$$T$ D$
QRPD$ c;
tR;t;8
t9SW3IP
D$pL$lPQL$
PSUVWj@NPVTFLL$
FXT$$QR
D$(x|$
\$4l$@
8~(|$
QRL$(WQ
RT$ PQD$$RP
RPT$0QR
PD$(QRL$,PQ
RT$$PQD$(RPz
QL$ RPT$$QRS
QRL$0PQ,
RT$(PQD$,RP
QL$$RPT$(QR
PD$ QRL$$PQ
PQD$0RP
QL$(RPT$,QRi
PD$$QRL$(PQB
FXVTT$
FX^][P
T$ Vt$
BHBDBL
#EgBPBT
+QhT-C
D$(RPQ\$8-
D$8|_^][$
?;WSDs
{HrRt$
D2P@@;rL$
NdNTVd
NTVdF$+-
tg-NT|
RVd+RPV
FdQFT]
UVk$WCdS4Kl++u
K$);rq{0
shKdCT++
shsDKdK<+
t`KlsdRS0
r$SdC0KP<
3KL#C@
s'V6Fl
rAF@NPVd~03
~L3N<#3F@f<AF,N8#f<AV@F<fNdf
Pt'VdF$+-
fFdf+Fh
rYHFXVdF0~@B3
~L#3F@f<AN,F8#f<PN@V<fFdf
JFXHFXu
NdNPFX
3NL#F@nVdF0
tqPNT|
RVd+RPV,
FdQFT~
Y_^3]Y
SUVW|$(w$GtWdO0opD$
t$,W0D$
D$(8D*
W,G8#3f4PD$
$D$ ;w
QSUVt$
s'VFl\$
rAF@NPVd~LN03
N<3#3F@f<AF,N8#f<AV@F<fNdf
PVXFhVpF\nXtXFx;sOVdF$+-
VdFlNp
VlFpNdA
Nd;w>F@NP~03
~L3N<#3F@f<AF,N8#f<AV@F<fNdf
PFpHFpuNd
VdPVTb
I;u2NT|
VdNlBIVd
NdFlAHF`
NdFlF`t\FdN0
RVd+RPV
H_#^][Y
Y_^]3[Y
3WN|~P~
|$ WUSV
@APQVd
VL$ D$(c
T$ RVT
D$$SUV
L$$T$ T$0
t$4L$033
`t$ fB4
+t$$<f4
t$4L$0D$
HL$0D$
D$0tbT
;t"+3f
f>D$0HD$0ut$4l$
NfAuD$0|6t$,x
o]_^[Y
~l334B
GD$ D$
|$$3Bf ;
+;~g3ft
+;~g3ft
+;~f3f
+;~f3f
+;~f3f
Ol$$|$
+;~_3ft
f+fL:f
;~ql$ 3f
+;~j3fT
+;~b3f
QQD$,QPTu
SU3Vt$
_^][PWL$
F V$SU=
RQ/3SD$,
SU3Vt$
^][PV[T$
SUQRT$(3
SUl$(V
PViL$0V
VN$ fl$
l$(\$(T$0D$
QSURPGT$<3
NuL$$U
_^[UQ=
;^}%95NC
YY^S39
_^[UQ=
YYUjhpB
EPEPVA
_^[UQQSVWj
SQQ]E E
YYE_^[SUVW|$
_^][t$
lYQSUVW|$
7G33=NC
_^][YU}fE
fEm}mEUUW}
B8t6t8t't
B^_[UWVu
DDDDDDDDDDDDDD
Yu3UjhB
_^[UQSVWE
$UQQSVWd
SVWE3PPPuu
]U4SVWe
E_^[USVWE
X_^[]UQSV}
[USVWUj
t.;t$$t(4v
9]t^uH3
uA;5$oC
9]u>Vj
E9]u'9
Y_]US39
t3;w/8
3_^[]WVS3D$
GIt%t)
Gt/KuD$
GKu[^D$
[^_UjhB
YE;t*CHE;r
9}uK;u
E;t#CHE;r
9}u";u
EPEPS%/
E;uf9=4D
^UQSV
YtF>"u
< v^S39
PZY;5pD
8 t9UWD
YE?=t"U%;Y
8 u]5<D
[UQQS39
EPEPSSWM
YEPEPE
@"t)t%
F8"uF@C
@C8"u,
VW333;u3
SS@SSPVSSD$4
;t2U;YD$
t#SSUPt$$VSS
;t<8 t
u+@UY;u
3_^][YYUHSVWh
YYt)V5\JC
YYt&V5\JC
YY;t>j,PY;Yt0@8
XVC20XC00U
]_^[]UL$
u*=tIC
YY\WP\:
@Y<v)\P:
SVWe39=,D
"WWShB
M]9}tfSuu
tMWWSuu
Mu;tVSuuu
ARV5LC
]EuMm]E
PeYt,F=NC
@H80t8
X3UQQ}
U(EVPEPE
0^US38]
A80t<^
_^[]U(EVPEPE
,^USVu
_^[]U(SVEWPEPE
|&;}"t
Gu GEj
^_USVu
_WPSAD
It-ht lt
HHtpHHtl
YAE t!E@E
Et?EWVuu
~;E]xf
CPEPC@
YY~2MQu
E_^[`B
KVW~&|$
r;]uy;
;uY;]s
pD#U#ue
j #M_|
]#\D\D
VW3;u0DP
3_^][Vt$
^UQSV5
YUQQSV5 oC
6;5 oC
3_^[UQM
CF;sN;Eu
3_^[UQU
;w+;v'
E_^[UQQE
]EU=uC
YY]UXu E
Yu,t(u E
@@ _^[]U
;} +]t
u(EE uEE$E6
EEUQQE
X]3]UQQE
E0^UQ}
tP8csmu,9x
U$Ru u
}EPEPWu u
$uu$u S7u
u u$u uu
UQQVWxh
t!u$u u
EPEPWu u
E;EsO;>|C;~
u$u Vj
_^VW|$
X_^UjhxB
u,au$6u
_^[]UjhB
FE$@lE
jEPDYY3
MHp?csmu)
X3UjhB
QQSVWeE
_^[38E
VW_^]M
QQSVWe3uL9p`t E
QQSVWee
tt0B=XqC
@;vAA9
Wj@Y3D
t7SWU
BBBu_[j
VPVPV5D
@AA;rI3
tAt2t$
8t3^[_
^[_UWVu
DDDDDDDDDDDDDD
^_UjhB
u,9uv'
83_^[S39
VWuBh8B
UV3PPPPPPPPU
$s ^UV3PPPPPPPPU
$sF ^UjhHB
3;u>EPj
E;tc]<
e33M;t)uVu
_^[UQV}u:
Vj Yj D$
SVWj \$
<Wj Yj
}_^[UQQE
SVWxj Ye
<3E_^[
Ju^W|$
SVWj }
Eu&E3P
EPEPvEVPw
@PEP 3|; |(EPVw
IYY3j Y+O
1_^[hpqC
3PPPPu
3PPPPu
W@PWV,
_^[]U(VE
YEYuPj
SVW39}
8+E_^[
_^[]UE
3 33UWVSu
F'G8t,A<
F G8tPS7
[^_UWVSM
uNAZ I
t FGQPSF
HSVHWtgHHtF
UNTuIVXFX
EFX3_^[
3;VEN@
}SpSjEPS
YfE^fC
[U\SVW}
+t1-t,0tRC
VPZYYj
+ttHHtd
XO0uD}
MEEPEuPjE3
33333333E
#fWEEEEEEEEEEEE?E
NfUkM}
EFPEP#
EPnNYuO
PEPEPEM
E_^[;r
t78t2=tIC
$Y_[Vt$
3^SVt$
>+~&WPv
tYPVJD
4VLYYF;5D
_^[U$S]
EEP,KYu}
u5}u,e
rYY39M
u_^[Vt$
t)S'YP
_^[Vt$
WVpYt<
3_^Vt$
inflate 1.1.3 Copyright 1995-1998 Mark Adler
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
- unzip 0.15 Copyright 1998 Gilles Vollant
jHqA}
kdzbeO\
iLA`rqg
@l2u\E
a=-fAv
\cQkkbal
eLXaMQ:t
jiCn4Fg
c;d>jm
i]Wbgeq6l
8ROggW
A`Ugn1yiFa
fo%6hRw
[&wowG
eibkaEl
`MGiIwn>Jj
)WTg#.zfJa
h]+o*7
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
GAIsProcessorFeaturePresent
KERNEL32
`h````
ppxxxx
(null)
_hypot
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetCurrentProcessId
OpenProcess
CloseHandle
CreateToolhelp32Snapshot
Module32First
Process32First
Process32Next
CreateWaitableTimerA
SetWaitableTimer
TerminateProcess
OutputDebugStringA
LocalSize
RtlMoveMemory
CreateProcessA
GetThreadContext
ReadProcessMemory
VirtualAllocEx
WriteProcessMemory
VirtualProtectEx
SetThreadContext
ResumeThread
WaitForSingleObject
GetEnvironmentVariableA
lstrcpyn
LoadLibraryA
CreateThread
GetExitCodeThread
LocalAlloc
GetProcessHeap
GetModuleHandleA
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
DeleteFileA
GetCommandLineA
GetStartupInfoA
WriteFile
CreateFileA
SetFilePointer
ReadFile
GetFileSize
FindClose
FindNextFileA
RemoveDirectoryA
FindFirstFileA
CreateDirectoryA
SetFileAttributesA
GetLocalTime
GetModuleFileNameA
GetPrivateProfileStringA
FreeLibrary
GetProcAddress
LCMapStringA
KERNEL32.dll
MsgWaitForMultipleObjects
MessageBoxA
wsprintfA
DispatchMessageA
TranslateMessage
GetMessageA
PeekMessageA
USER32.dll
OpenProcessToken
GetTokenInformation
LookupAccountSidA
CreateProcessAsUserA
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyA
ADVAPI32.dll
GetProcessImageFileNameA
PSAPI.DLL
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
WININET.dll
URLDownloadToFileA
urlmon.dll
PathFileExistsA
SHLWAPI.dll
GDI32.dll
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetVersionExA
GetLastError
GetCurrentProcess
MultiByteToWideChar
WideCharToMultiByte
SystemTimeToFileTime
GetFileAttributesA
GetCurrentDirectoryA
LocalFileTimeToFileTime
SetFileTime
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetVersion
InterlockedDecrement
InterlockedIncrement
RtlUnwind
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetCurrentThreadId
TlsSetValue
TlsAlloc
SetLastError
TlsGetValue
HeapDestroy
HeapCreate
VirtualFree
LCMapStringW
VirtualAlloc
IsBadWritePtr
RaiseException
GetCPInfo
GetACP
GetOEMCP
HeapSize
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadCodePtr
SetStdHandle
FlushFileBuffers
SHGetSpecialFolderPathA
SHELL32.dll
ole32.dll
WS2_32.dll
adkuai8
121.199.36.209
58guyu
47.99.214.214
20200101
system
c:\abcd.txt
c:\windows\otalm.txt
\Device\HarddiskVolume
\windows\system32\
C:\Windows\Sysnative\
c:\windows\system32\
\SystemRoot
SystemRoot
????????????????????
???????????????????
??????????????????
?????????????????
????????????????
???????????????
??????????????
?????????????
????????????
???????????
??????????
?????????
????????
???????
??????
EXPLORER.EXE
WinSta0\Default
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
tongji
?==========
==========
==========
==========
==========
==========
==========
==========
c:\windows\
http://
/server/client/server.txt?
/server/client/adlist.txt?
HTTPREAD
startupdate
update
exemd5
exezip
dllmd5
dllzip
del %0
ping -n 3 127.0.0.1
del /q /a
@echo off
ping -n 5 127.0.0.1
taskkill /PID
newdown
exe.zip?
/updata/client/
dll.zip?
exe.exe
dll.dll
SYSTEM\CurrentControlSet\Services\Vxd\
svchost
userall
C:\windows\syswow64\svchost.exe
C:\windows\system32\svchost.exe
\svchost.exe
\svchost.dll
ComSpec
dy.bat
@echo off
start
SUVWPO
t$|f>MZt
_^]3[h
_^]3[h
QRT$8|$
PWT$8D$
T$<PT$Pj
T$<PT$PE
QWT$8STj
RWT$8N<{T
L$|Q<L$
p8~]Kj
K4+D$|t
@(t.L$
_^]3[h
PUD$(WP
L$\33D$
PQT$LC
PVRQT$DT$d3E(:fG
t^[_]P
t$4twF
T$$PT$4_F
T$ PT$0^,
SVWSQRV3dq0v
urocA9F
]^ZY[prae2
EcEt]ELEoUEdELEiEbMUMEyEA]EVEiMEtEuUElEAElElEoEc]EVEiMEtEuUElEFM
]EIEsEBUEdEREUEdEPEtM]EGEEtEPMEoEcpEEE
ltPSEsEsEHUEpEFMELEiEbMUMEyEHUEpEFMEHUEpEAElElEoEcEHUEpEREAElElEoEc
G(_^[]
kernel32.dll
Advapi32.dll
psapi.dll
advapi32.dll
user32.dll
wininet.dll
urlmon.dll
ntdll.dll
GetCurrentProcessId
OpenProcess
OpenProcessToken
CloseHandle
GetTokenInformation
LookupAccountSidA
GetProcessImageFileNameA
CreateToolhelp32Snapshot
Module32First
CreateProcessAsUserA
Process32First
Process32Next
CreateWaitableTimerA
SetWaitableTimer
MsgWaitForMultipleObjects
TerminateProcess
OutputDebugStringA
InternetOpenA
InternetOpenUrlA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
URLDownloadToFileA
LocalSize
RtlMoveMemory
CreateProcessA
GetThreadContext
ReadProcessMemory
ZwUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
VirtualProtectEx
SetThreadContext
ResumeThread
WaitForSingleObject
GetEnvironmentVariableA
lstrcpyn
LoadLibraryA
CreateThread
GetExitCodeThread
LocalAlloc
program internal error number is %d.
blackmoon
BlackMoon RunTime Error:
DLL ERROR
:"%s".
%d%d%d
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
need dictionary
invalid distance code
invalid literal/length code
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
incorrect data check
incorrect header check
invalid window size
unknown compression method
%s%s%s
;3+#>6.&
'2, /+0&7!4-)1#
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
need dictionary
I x@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
2x7uJ/x "!T
p~RS/q)T]'bCh
Lw}I)JL5Z3Is
(v5Q3`
,vAIe)#RU
PqWV6{o-YJ
1Yb7$M~
&k#X GH
FJro_D%Z\
m�s�c�o�r�e�e�.�d�l�l�
r�u�n�t�i�m�e� �e�r�r�o�r� �
T�L�O�S�S� �e�r�r�o�r�
S�I�N�G� �e�r�r�o�r�
D�O�M�A�I�N� �e�r�r�o�r�
-� �A�t�t�e�m�p�t� �t�o� �u�s�e� �M�S�I�L� �c�o�d�e� �f�r�o�m� �t�h�i�s� �a�s�s�e�m�b�l�y� �d�u�r�i�n�g� �n�a�t�i�v�e� �c�o�d�e� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.� �I�t� �i�s� �m�o�s�t� �l�i�k�e�l�y� �t�h�e� �r�e�s�u�l�t� �o�f� �c�a�l�l�i�n�g� �a�n� �M�S�I�L�-�c�o�m�p�i�l�e�d� �(�/�c�l�r�)� �f�u�n�c�t�i�o�n� �f�r�o�m� �a� �n�a�t�i�v�e� �c�o�n�s�t�r�u�c�t�o�r� �o�r� �f�r�o�m� �D�l�l�M�a�i�n�.�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�c�a�l�e� �i�n�f�o�r�m�a�t�i�o�n�
-� �A�t�t�e�m�p�t� �t�o� �i�n�i�t�i�a�l�i�z�e� �t�h�e� �C�R�T� �m�o�r�e� �t�h�a�n� �o�n�c�e�.�
T�h�i�s� �i�n�d�i�c�a�t�e�s� �a� �b�u�g� �i�n� �y�o�u�r� �a�p�p�l�i�c�a�t�i�o�n�.�
-� �C�R�T� �n�o�t� �i�n�i�t�i�a�l�i�z�e�d�
-� �u�n�a�b�l�e� �t�o� �i�n�i�t�i�a�l�i�z�e� �h�e�a�p�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �l�o�w�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �s�t�d�i�o� �i�n�i�t�i�a�l�i�z�a�t�i�o�n�
-� �p�u�r�e� �v�i�r�t�u�a�l� �f�u�n�c�t�i�o�n� �c�a�l�l�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �_�o�n�e�x�i�t�/�a�t�e�x�i�t� �t�a�b�l�e�
-� �u�n�a�b�l�e� �t�o� �o�p�e�n� �c�o�n�s�o�l�e� �d�e�v�i�c�e�
-� �u�n�e�x�p�e�c�t�e�d� �h�e�a�p� �e�r�r�o�r�
-� �u�n�e�x�p�e�c�t�e�d� �m�u�l�t�i�t�h�r�e�a�d� �l�o�c�k� �e�r�r�o�r�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �t�h�r�e�a�d� �d�a�t�a�
-� �a�b�o�r�t�(�)� �h�a�s� �b�e�e�n� �c�a�l�l�e�d�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �e�n�v�i�r�o�n�m�e�n�t�
-� �n�o�t� �e�n�o�u�g�h� �s�p�a�c�e� �f�o�r� �a�r�g�u�m�e�n�t�s�
-� �f�l�o�a�t�i�n�g� �p�o�i�n�t� �s�u�p�p�o�r�t� �n�o�t� �l�o�a�d�e�d�
@�M�i�c�r�o�s�o�f�t� �V�i�s�u�a�l� �C�+�+� �R�u�n�t�i�m�e� �L�i�b�r�a�r�y�
<�p�r�o�g�r�a�m� �n�a�m�e� �u�n�k�n�o�w�n�>�
R�u�n�t�i�m�e� �E�r�r�o�r�!�
P�r�o�g�r�a�m�:� �
K�E�R�N�E�L�3�2�.�D�L�L�
(�n�u�l�l�)�
E�H�H�:�m�m�:�s�s�
d�d�d�d�,� �M�M�M�M� �d�d�,� �y�y�y�y�
M�M�/�d�d�/�y�y�
D�e�c�e�m�b�e�r�
N�o�v�e�m�b�e�r�
O�c�t�o�b�e�r�
S�e�p�t�e�m�b�e�r�
A�u�g�u�s�t�
F�e�b�r�u�a�r�y�
J�a�n�u�a�r�y�
S�a�t�u�r�d�a�y�
F�r�i�d�a�y�
T�h�u�r�s�d�a�y�
W�e�d�n�e�s�d�a�y�
T�u�e�s�d�a�y�
M�o�n�d�a�y�
S�u�n�d�a�y�
@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�
W�U�S�E�R�3�2�.�D�L�L�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
C�O�N�O�U�T�$�
@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�@�@�@�@�
@�@�@�@�@�@�
(�n�u�l�l�)�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
B�B�B�B�B�B�B�B�B�B�B�
B�B�B�B�B�B�B�B�
Hosts
| IP |
|---|
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.