2.7
中危
DACN
0.12
FACILE
1.00
IMCLNet
0.76
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | None | 20190527 | 0.3.0.5 |
| Avast | Win32:Evo-gen [Susp] | 20190915 | 18.4.3895.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (D) | 20190702 | 1.0 |
| Kingsoft | None | 20190915 | 2013.8.14.323 |
| McAfee | GenericRXIN-NG!28D368D34F65 | 20190915 | 6.0.6.653 |
| Tencent | Virus.Win32.Viking.aak | 20190915 | 1.0.0.1 |
静态指标
查询计算机名称
(1 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545318.765625 GetComputerNameA |
computer_name:
TU-PC
|
success | 1 | 0 |
检查系统中的内存量,这可以用于检测可用内存较少的虚拟机
(1 个事件)
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(2 个事件)
| section | VHqxTUpa |
| section | IaDsgWGk |
动态指标
在 PE 资源中识别到外语
(4 个事件)
| name | RT_CURSOR | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000109f0 | size | 0x00000134 | ||||||||||||||||||
| name | RT_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001a134 | size | 0x000008a8 | ||||||||||||||||||
| name | RT_GROUP_CURSOR | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00010b28 | size | 0x00000014 | ||||||||||||||||||
| name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | None | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001a9e0 | size | 0x00000014 | ||||||||||||||||||
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Windows\MSWDM.EXE |
| file | C:\Users\Administrator\AppData\Local\Temp\091BB3A82A7144B5C9A492942C03E8042FC03DB66BF8129BAB4C73EAB29537F9.EXE |
创建隐藏或系统文件
(1 个事件)
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Windows\MSWDM.EXE |
将可执行文件投放到用户的 AppData 文件夹
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe |
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': 'IaDsgWGk', 'virtual_address': '0x00011000', 'virtual_size': '0x00009000', 'size_of_data': '0x00008c00', 'entropy': 7.755297044051427} | entropy | 7.755297044051427 | description | 发现高熵的节 | |||||||||
| entropy | 0.9210526315789473 | description | 此PE文件的整体熵值较高 | |||||||||||
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 192.255.255.255 | |||
| host | 114.114.114.114 | |||
在 Windows 启动时自我安装以实现自动运行
(4 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM | reg_value | MSWDM.EXE | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM | reg_value | MSWDM.EXE | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WDM | reg_value | MSWDM.EXE | ||||||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WDM | reg_value | MSWDM.EXE | ||||||
文件已被 VirusTotal 上 51 个反病毒引擎识别为恶意
(50 out of 51 个事件)
| ALYac | GenPack:Trojan.Agent.DYAA |
| APEX | Malicious |
| AVG | Win32:Evo-gen [Susp] |
| Acronis | suspicious |
| Ad-Aware | GenPack:Trojan.Agent.DYAA |
| AhnLab-V3 | Packed/Win32.RL_MultiPacked.R287460 |
| Antiy-AVL | Trojan[Dropper]/Win32.Agent.a |
| Arcabit | GenPack:Trojan.Agent.DYAA |
| Avast | Win32:Evo-gen [Susp] |
| Avira | TR/Crypt.ULPM.Gen |
| BitDefender | GenPack:Trojan.Agent.DYAA |
| CAT-QuickHeal | W32.Ipamor.C2.mue |
| ClamAV | Win.Trojan.Ipamor-26 |
| Comodo | Heur.Packed.MultiPacked@1z141z3 |
| CrowdStrike | win/malicious_confidence_100% (D) |
| Cybereason | malicious.591320 |
| Cylance | Unsafe |
| Cyren | W32/Ipamor.A.gen!Eldorado |
| DrWeb | Win32.HLLP.Iparmor.35858 |
| ESET-NOD32 | a variant of Win32/Ipamor.G |
| Emsisoft | GenPack:Trojan.Agent.DYAA (B) |
| Endgame | malicious (high confidence) |
| F-Secure | Trojan.TR/Crypt.ULPM.Gen |
| FireEye | Generic.mg.b8ce8eb591320575 |
| Fortinet | W32/Parite.C |
| GData | GenPack:Trojan.Agent.DYAA |
| Ikarus | Trojan-Dropper.Win32.Addrop |
| Invincea | heuristic |
| Jiangmin | Trojan.Generic.durje |
| K7AntiVirus | Trojan ( 0051918e1 ) |
| K7GW | Trojan ( 0051918e1 ) |
| Kaspersky | Packed.Multi.MultiPacked.gen |
| Lionic | Virus.Win32.Lamer.l8cz |
| MAX | malware (ai score=81) |
| McAfee | GenericRXIN-NG!28D368D34F65 |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.cc |
| MicroWorld-eScan | GenPack:Trojan.Agent.DYAA |
| Microsoft | Virus:Win32/Ipamor.A |
| Panda | Trj/Genetic.gen |
| Qihoo-360 | HEUR/QVM11.1.E54F.Malware.Gen |
| Rising | Stealer.OnLineGames!1.64DE (TFE:1:0RdjHLUhaW) |
| SentinelOne | DFI - Malicious PE |
| Sophos | W32/Systro-AB |
| Symantec | W32.HLLP.Ipamor |
| Tencent | Virus.Win32.Viking.aak |
| Trapmine | suspicious.low.ml.score |
| VBA32 | BScope.Trojan-Spy.Zbot |
| VIPRE | Virus.Win32.Ipamor.a (v) |
| Zillya | Backdoor.Ipamor.Win32.1 |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2002-07-11 12:39:26
PE Imphash
62a960f8ad30d2ced6e939ce901644b8
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| VHqxTUpa | 0x00001000 | 0x00010000 | 0x00000000 | 0.0 |
| IaDsgWGk | 0x00011000 | 0x00009000 | 0x00008c00 | 7.755297044051427 |
| .rsrc | 0x0001a000 | 0x00001000 | 0x00000c00 | 4.49982474981782 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_CURSOR | 0x000109f0 | 0x00000134 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_ICON | 0x0001a134 | 0x000008a8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_GROUP_CURSOR | 0x00010b28 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
| RT_GROUP_ICON | 0x0001a9e0 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | None |
Imports
Library advapi32.dll:
• 0x41aa6c OpenProcessToken
Library KERNEL32.DLL:
• 0x41aa74 LoadLibraryA
• 0x41aa78 ExitProcess
• 0x41aa7c GetProcAddress
• 0x41aa80 VirtualProtect
Library user32.dll:
• 0x41aa88 ExitWindowsEx
Library version.dll:
• 0x41aa90 GetFileVersionInfoSizeA
Library ws2_32.dll:
• 0x41aa98 WSAStartup
L!This program cannot be run in DOS mode.
:o:n%}
:n~%d:n~%e
:nRich:n
VHqxTUpa
IaDsgWGk
7h1Z_M
op+jhu(wn
v;XJxyt
]@`V24itbXy
M.za/>
E/xnet3ZY5
iZJhNSw
cno NrkN:
q,Ub0I33*
AE-[wAqr
OCkX}pS
'"G;#MJKKH
^ :JH30[Q9
e/Pj]+@
q*+M<2f
qeH h3'
uJ;je]m >
<(Xe!ey
@/l3){ll
Z5!5)lrz
tTC27n=)vcH
=#y$COo{W
~#h"~f
qt+}lx
\Lp'0=
/LIbtTQ
S76R6fy\+w
NQqv<6
xxE6!un|E80
K} 2BU
H^3l/PDwj%5
0`|H\m?`7^#_
ogO9S94SC.{ E
+I]C3EqpSb{
'gV9"|
!']XCVsp
=/x?G}_%c
S\@UnT
_('O2hi{"f
lw)+/GQfD(
142)-ZTn? #
J\O)F>joXQ>
)0sjzi(x4^`
Uc=RAahA
`= >tQH`
`iv0O|8Pz
WU&L!c
6=pwqWd!UMl(V
Q5&%=i*V<u4X
K=is<
rc|7BM
q0^I"T
TVvfj6ja7~7
Thj%u63KUI&0
QcaAbV=
cMF$.|j
yuLGq2ek
8:"LNJv'S
/:>1AAz
z|r8by$'
6<[zwT1
|(g~JP
2\0ynG
"_9jQ;zS
hrWEysT(7yzM(
d~z4-)w
<xe+|.
yB[89L;edxH
%H/'tE
9)t 64
(/pVd~ShB
\z`}{,t6
7] ?Pd9 {$'
IA:=M)}4=?
BbAk7>U9
A`J$i|x
,K#,!Exz
7Z]4D1
9;+Qc%:EE
tHm(RY!}1K"L16
$=+EUg[xD/T
$hw,|[
"YpA.oyvQ
f!v!.b
]Y6)3g
*[\*/UPL7:e
7\zE^O
CUo%!m
F+#!bH"qz\F
.Q2+%!
K8U(0eR#)k{m
"]DJ3@E{Y
r-oo]S
(TyLvDO
KBKdK
HM|7{^
k V-z[
Qz.%KbK7Xo=
Yus>2#P
7Q6D #
n3?8i1+bP
4JMV+N!(
He~gjt7m|`h
BL)wWV
h#hdoo
IEV`o4c
v+]pL*_
)I<"AL{[w
/m}zst
v~u73$5MmO&o
3U/dnE[
srd}`.
7pUY S`7
%p}k6O
rF!Oo{>Ti
V./y1~`
C*A\cQ
bXPUK;
'|Z7!Q
lzw"]qj
m= f=xaj70
sj6F3a*
e+Gpf62BiE
/M`&(&
5Kw70q4
'D!oybw|
}$ch"7j
,FF'eF
5B63 !
teKUj$@Y_\X
F]lo.}
t.}d4P
nRsa$Q:X
0,DVo[
44`d%/
2czY9^rQZ
aF q6"
0`s)FfK6o: Y
v1O0IE
]'sO5~_f
%/v$+&
Hf xJ^nkbL) .\
=vG8p&z^
&3W,P)C?
ni7 Vnf
T[[\$m0jF
XfV96ADi
l\72aEm
)Z(|>&
`:E#TN
N'P{4/dS
{g\E[["I$
&!whA%
t3BX49tsZ|
Mj}Ru4h
gY{q9V[Ie
Hk%NsE/W@
<XA[0NX80
aK 4:Jd
y>)uLV
K]1i@1nL
Yj,/agK}`
x+=(!qW
[~x7_8{
VUK+*,,
f7L0w;gx
#J"N<5~YbxIc
PL@V"|
#@XpqK
Gn]D7g"cs
a7VXoCq0L
6DV~6-]
[<gD&;=z
fuN{2{
RFx8\~ES_:
y0pFl`V
Y2]%_z
_1s)!a
WJa~%{
}\rHVR>
-Y"#"U
:.+N/ R(nu/|
ota`2w
?3f"V0
Sg&P&sMa
WIDBv,
`@eW3G
IKUU0ds$N>,
t6W/d3`
>lII4M7)Q
iUr@JLo_l{M
kHrR`IawFu
'o=m(+n
#K4^)V_o\2
lK[tPh@?u}gK&9DN
~ea+%
khOa3R0jg
dq4aQt(-e
CJ3o7@S
A%o(w@(
XcRv_Io
#'.^lRk
\|[b@v
S."HKg6Z^
B"XoN21AQk
(^KzX]
79%IJ(
0A/3M<4|S
inP_sxg
Y "{<}5
fL(sr#j
5y"GiAaz
JRiA/i3[m>{
Y3sleK1\tWY
o; XufB
:MoY84x
JOU?91)1x+
-qVQ|+tE
0XT9o=3
|MD#b6&.H
%}Tgzq
&a';?*v2wqDY
qfwB/~o
#A$X|_
YW.7))0
%NH'lx
C*g$\Z?\0
d/$ry-b4
JzS2&ValdX]
Tb/mli_#
5=|PG2Fij
I<?%@<C(jFnN
\7_;4 k^X-<m
F;C7\Cv/
X.?15"-E
g(!IM:
|)/o`lVeVE9j
#M`5c+on
__*S`S@PJE
Pvjgq_r2YK"u7
"kV Y/$0
k*8"Tlr
PW!@R;r&FV33
JU/Htpy(,S
} >=]I2u4r_?"{
<gZJa1Ry9
G__psa
3e1U|_%@:3#
%PKkiH/sTYS
Ri_%e,:
Vb vq
}Ada}O
q0lsA%m92z~.
=GmxCJ!~
er IqP
|U[x;E&
b@BS29
$/~SK-![nELRFKP1C,
0fV2Aar_`[$ ]
8|${w*,^
M *Mku/
%W>9vc,|aC
LS1-j'
aA.wyrl'
>RyYq-R93
3%wk[\,[~Jnk
grih,&
<78{(](
#pGY:P
K ?P>WeLU:@1
\m.SBoO
m]D@%-'{8,*
hd,R,)Cy^HV%8;
R4 -p?R/PMCR|
6pGE>`
,fPtzjoKlZ
:C1%Ah
J6{aITvSI
#qiwT]0
'#>@rj|;c[/CD
IO:\-wW
7$<#<o_ZL_3/
.rl&r<u
WpA/,m5cZ`s
nJrx!}
0Gqo-W+.1(
RdZ)^R
WxgN{!
($Ryq[B{
}*=6/?
y|w1sP"'
4c<1J`[
e+}_x1>u
|_|-o /P
zqeXZ%Pl-.
V>_{|D
2c]r_q#BP3GS>
y+<s#Od
OlEC"g
fw+)V:
0%nZI@j5
Bt"7^>
fp_u0:e
wU?3:r
21hbL^bV@)!
gBcxe2-
b/1n=t>tF'I
79CRFBr !%D
f Mn q
UQ7J0_9
} N!%f2
C[+uh%
c_bn*6
4v3m)Rmtk4R9n
3>?H}%oPm
Mv _~yo
<ohxS *N>
F%p9]4z
~nN m!mz1
i{)AEqN
/To;:UY
hda3g+)dp
:E:~.7:5}
s^m56R@~\
'q8*.{~v(
x!jI0I@_
^7gX- o
j-6`V5
.'0S~QX
i~6DyY;
-.QLp'
n(-[3p
9aLwqG
p}KW9#
aOb{G(#mRlF
2TulFU(HOHWb?
lD7Csyp!x
>AWl~M
MmA_.]_<l+
[\PLq '
X^jz#ot
!y`=1wuvs
/u>,Lt9
2Lf qh/
)~WE/o[D`*I?F'QPeop-pyn^D
(,`G(_
h2WD}pR|
1S!Iv
MMsTHtmj&A
BCw+{'B
cJ#=@#
,_&,[O
6^G]f?
`/<R8wg+pG6
tCv$zhzj
&t-r_]RG\[
N)yz-%,-I:
Wn<Aso
{Qa^j'.
Ogd;6CL
]9,Fc)^
3zQ\J(I1b
$Oo~:uWRa
ON":n;ErvdC#
0)QT7/!>Z
`w 9 >
FvKi:,
x=Qfg\?I
p'{HZVC`
el/Eszo}%dK!JW(w
uET%v/[o
wzJ_.4{GF"h
_`hl-L%fxC\:/n
:i)<^uz@BpV
h22)xM
>+j9i/f
0TQYYE2F[I;N&
[.w;C3
F|K`O^7w
n5gyRq(,PpS0z
go['v3
/`vz,>
3;K/])UNcZk
C839$z*g
z!R8L yN= 4o<
Q-4?Z4`
bqP0w?Now)]0@^
W A+8f]
eDC{[/0a
_a85"(7E
h,c&vJR{Tyc{
c.B)]Z
>p+{SEl
K>cD0Pl"
$.4yfe{
K]6ot K =iJk
L8z_o%
=Y{oK^
b4rj2$Ij'!
D=2|6g
I7$L-fq93?'
#<OK 0EU
E=-M=aN
^XHEm)
#M^V_[+}
5zv`5/[2
-ExH^2'PRq
v:Cp5V
o}Dq8F8O
MhMX>Zm!_)U
UU2*JFUQU%
#k9dgW
B^yJ3A
Kju(j7%OH\
YH]T\)
G}ss>y
\J~z0t`6Q
~i ? 5
=fjv2x
*#EQ~Kz:
(M2Qetzx
LijF:%#uv
iLG}rp:(}*|
-OZ1~*:V
&k^Q(d,+cE6|]hc6
gWq`IX
[Bmo,2}a
>/,e?.,V^
|q):q,M-
PDXl9#l
-( qbC
ifE[~|GO^u>
eSYNs<0iGZTv}
z?H%?+,_0
.XyRzl*
K+0g<Co
H^\fOyiCQ;f
B;|SM-:ZE
|tT:8MtV[
+[K:t3?:uL!Q
}fr\bNd}B
Can[(k'0Tp#g^f
oX[Kt!
QGt9ykw-u
.?,V%7
S#2j;2B`^|<3y
}8[<wRk
vW;4;3=]f=N|y
R{NJ?W'+fy#(n
CxKBe'/Y%>
hgTsfDo
g-rZCRy*gX
~~5E}l
H#alA/orE*
w ZO{!
PtI0tas
Lt^|3)3
l":+E+JX0e
U@+:^eV_~m/F|
&GP Ky
2=Hto#
oASkZZ
t#THn24
% q$n[9SM:n
yeumrr9|e{i/
B7$Tw-.i {o/6nn
)d'ST^#*
O+!Q$8
=7xKU;
}Jjg~~Qz
=j?kJ*a
Lo&;Ns
I1aHy3
2=j_7kb
_ XQk9
PO-eww?"RToJ
#^:=V+k
z{K4;.S
ju=X~D}LS
,:_,oe
V1E99_7
V7,/&7&w0
.JB!$EZ1
}VCkS8fq
chM%~&1
&,xM5r
@fheA
&)1'&Ji!We4
csfzhnn^C
P6if&|UT
+veBk~f{b
g:oqt3a3Y
est08l\
] ,TUIY
UFU? J
q!/I[
a%]kSW
QEwVirtu
FreweA1#
UOC[uo$
WK\!8s
8o9u$,J
;a@*&R? Y
@kernel32.d-/
ExitPress s
ageBoxA
wsprintf
LOADER
The p9dur
o( %s mcould no
7at&[
t4dynamic
bra93Pord
uBRK$;
$XQR/u
(08@P`pi
g=SUVW
|-3v^,3
`mt$(z
4+$Inr@I
_^]2ph
1-vh7Wt"V\5Wh
vG8;A;rU
;;F,-s
nro<_sLD
EK0kdj
)bo`$5R4F];j
4$F`u(j
x~N}RL4#HL%
R ~O$(VP!
T$!5zmC?[?V^E\6
GdXh{3eg
")Pv!=
%5Z};/
h6=mm-0
r2kI?b
(5:.5_|tv
rqmUojn
q@~{<G2
xjTG[v
nQ3n[y/oX_
C"fTxldP{B
DA66,b
vzsrRL
iiVhw+[~Xkyc
w#eGxW
Wmy;euWc
C8Dxi{w!aw{0
CmohY?'vyh/r
6ewf#i
yEg8c
w<lir>
.v`jC5$F{
NdDn=%?iK
K3+ps#
GD2lF@.7v(
o=GQk~)
xrTj9\)
|2.6XHkEz
_6[U Zr
>A`. Pk
U3Ir.c4
yqPJF~%
F%RP{?
7(= @tF}>
WfW+.%Q
)q1d'lprsS76
Q[<L6#
?bZXw7&1o[|Yv
OY464QA
KJIUmo
?QaQ_9
ModuleHand
LoadLn
OpenTok
Winko>ows
[FiSVersionInfoSizb
{!SsPE
.text
.&e'0!
aspack
Xr'xO0
'.hpbefA
`.lgdjuqz `'
iUzdfuw6
GPGWHU|
XPTPSWXaD$j
wwwwwwwwwww
wwwwwwwwww
?VGK{{7
@tf~nwflfFGc{9s8lvtgf
8{{ugfvlf~eylgf|ggp
{{sFn~gnfe
y{vn|~h
y9v~~|w;
{{9;9<he;9
w~~~~VfS
7f~|fT;;
y|ngfDa8
9F~e`;
w;FHgvV
@y7l|lgw
ddfWv~ggg3
FFFvvn
glffgw
LlfgfG
advapi32.dll
KERNEL32.DLL
user32.dll
version.dll
ws2_32.dll
OpenProcessToken
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
ExitWindowsEx
GetFileVersionInfoSizeA
L!This program cannot be run in DOS mode.
-/Rich-/
`.rdata
@.data
@.reloc
Vt$(W3
;||$ 3
L$,h!@
][_^ % @
1E3PEd
u:5p3@
Y_^[]f=
8csmu*x
Ujh8#@
1E3PEd
Y_^[]j
EMQURE
Y_^[]j
;r_^VW
;r_^%t @
(;r3_^[UjhX#@
1E3PEd
Y_^[]% @
XULRunner
Couldn't calculate the application directory.
application.ini
XUL_APP_FILE
Invalid path found: '%s'
Incorrect number of arguments passed to -app
application.ini path not recognized: '%s'
XUL_APP_FILE=%s
Couldn't read application.ini
e:\fx19rel\WINNT_5.2_Depend\mozilla\obj-fx-trunk\browser\app\firefox.pdb
XRE_CreateAppData
XRE_GetFileFromPath
XRE_FreeAppData
XRE_GetBinaryPath
XRE_main
xul.dll
NS_LogTerm
NS_CStringContainerInit2
NS_CStringContainerFinish
NS_LogInit
xpcom.dll
PR_smprintf
PR_GetEnv
PR_smprintf_free
PR_SetEnv
nspr4.dll
PL_strcasecmp
plc4.dll
MessageBoxA
USER32.dll
??2@YAPAXI@Z
_vsnprintf
??3@YAXPAX@Z
wcslen
_amsg_exit
__wgetmainargs
_cexit
_XcptFilter
__winitenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
MOZCRT19.dll
?terminate@@YAXXZ
_unlock
__dllonexit
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
_crt_debugger_hook
InterlockedExchange
InterlockedCompareExchange
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
KERNEL32.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="*"
name="Firefox"
type="win32"
<description>Firefox</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<ms_asmv3:trustInfo xmlns:ms_asmv3="urn:schemas-microsoft-com:asm.v3">
<ms_asmv3:security>
<ms_asmv3:requestedPrivileges>
<ms_asmv3:requestedExecutionLevel level="asInvoker" uiAccess="false">
</ms_asmv3:requestedExecutionLevel>
</ms_asmv3:requestedPrivileges>
</ms_asmv3:security>
</ms_asmv3:trustInfo>
</assembly>
q9ysy{p
yy9;s9;
P@@@9y0
9y7y7BFTs
{y999yyvFF
9|gwvGFFwyvf|gffFedK;y;
FLn~f~VddfH;7
1dGlllvVGK{{7
@tf~nwflfFGc{9s8lvtgf
8{{ugfvlf~eylgf|ggp
{{sFn~gnfe
y{vn|~h
y9v~~|w;
{{9;9<he;9
w~~~~VfS
7f~|fT;;
y|ngfDa8
9F~e`;
w;FHgvV
@y7l|lgw
ddfWv~ggg3
FFFvvn
glffgw
LlfgfG
7[Q@BD
8utwT$
{y;94Ffvd@a{{RElv@@w{97tw~FFF
{{vFd`g
7y7|vgF^D
yvvdgg
s;9~|~{
wg|~vFK
wx{|gex
Vgx|vg
ll|ffg
7qd@yyqf{yCVdK{sFvgx5f|9{~i8x{
ciimimnl
,`fiiiiiiimu
]`fiiiiiiiim
,`ffhiiiiiiii
]ffhhhiiiiiii
`mhhhhiiii
{gs^++*
_jackkkk(
bnjIFFIU#
jnjjj>FFFFFFFJJHFF
lnjajjj4EFFFFHHHHHHHF
tnsaaaj
"#'EKHKKHKHH#
jsaaa(
&EHKKKKKKK
utlpIKKKKKKKKH
EKTTTTTTE
&GHTTTXF?
'KTXTB%?
'KXXB%AAA
%TKKKE
'GXXCCRXA
%CTTRKH
aJXYYYXXAACTXTKKK=y
a3TYYXYXYXXXXTXTKF6
xa|WYYYYYYYXYXYTTTH'y
{8XZY[Y[[[Z[Y[YZYT@EE#5
'VZ[[[[Y[[[[[[YXE
9KW\\[YSY[[[[[ZE"
GVZ\[YXY[Y[\\VI
<?AABXYW
RW[[ZYYZYU>
$BDDSZZZZ\ZYYV
IBDQZZZZ[\[[\\[[WVJJ>q
LDQQZ\\\q/
EDQZ\'%
MBDSY\\ZQAA
PEBQSYY\YYSQDAE
PJFABHBAAFL
elllpqor
dilllllpt
gilllllp
elkklll{
mmF:::GNM:6
mhmm$89??????
?@B@@@
y~?JJRJ@
.<WA2O1
mEXYYW;=VRRH-
ymT[[[[YXWRJ8
x+Z]bbbbb]]]?
-Sac]WcccaI
EZbX^]c`C%
703W^_[ZU
D4Paaaaaa_UL
K5Q^aW4/G
H==V>5=K
EGHILJ
K\]_b{|S
F\aqsye#
MNQkyuP
U`su}
+89*,cp
/??6.h
5OCB3"
IDATx}p
48CvS8M
IIlKXK]dn*y
^elUmUnYUkm
&VL:rL(E&
~~kXuZuZuZuZuZuZuZuZuZuZuZuZuZuZuZuZuZ<
$(!AKvJm
=_Jp-/B2
.]G:0Vt(m6v?k#i
?p Sb[
&o( IP!h
yn2@]n
A)ECATTUH
3z7*muk
@Q{w3 Pk*ME5
B;<(n*.vzd
np+%(zJ]1SoP
]LAy[v@4
!)O3@0
;{l+\3o9$
2e|5mRS
d[E\&)
635~7AwBhUq
ar%A(`#
eor][)!-V+
pd0s30H%
?*U|=Cl
5|[a IV
r*z+|f(qqf(Y\w
W>?~5_
]m*p7R
rA7)h|\Dk&
C^>8sh/d
X|Ht2)6jH$%84
dBQ|yLy
',5 yU[^o
xCN@#PTQ3
f@C>de
06B9_3"tMuEa
$`P7*h_ ) 8'W
hr_=@I
L*0BzCbj1_
% z:|G
8\vAjdqlkuQ
>.)MS~
bFiE7r]T~gJO6
qcDG/?SGsp
vK-/69>
- 7*v^U
Z 3S@l
dOz[z!{ h
;}];M/
9MuFCeAB
rZ NY>
qQ@?bdw
_mFFFy`s*d@
m%-+vkGR~^()
=7Mo5*b
E%bzbACf
4zy#7}S)
=VZrq;b!7
BMX2 ;4
$wKIk^a
0Tt7/!
%_xg&v@
j3$8u<7Z
2aCE:qH
T~N``% [
~ylo0F
]Iq`*f
Wk'}6g-:V8
y7H<PT
",i@|c&q
BgZmR@
R{%Z[tKY
/jmMabe'
|jSS-h
R(pd%d">
Haj6mvF`/
l me@A34
Z#{t]Y
$\[;pvf:
u(]XIy
~gct1'O
JyU2eX)
9w!:6
!jAsGs?
59t%rl
3w=3}]EG
&\_J2Dv;`(?
_*;9=cc
@-@P=d
.y1h ,t
@W% #
ax1 `P/
@J v:+p
]/GNoSq<_?#\
.hE!
f>c7Oh
KL>PBF
Zg>aF;p
Q6@4,H3v7P
#qFhvQ
wFx#//u}r
qP R:}J{N
`Y4x\aj
u|L(%W)Fq#7
yIn@RK
x^a@.'Q
J,0y+#
!at0b!
nn_" (
o)7?;)
ws6F7`~
RLuj^o
xn#83f|
pC4\'F.a|ug:
gKs.3uIC%
'xrJA-
fi?}"et
bJE!B\2d5
x&SBK`
@xx{>9@c
0~m<XHAN)Mf@
/IJ1dd
SH\)M*
("wy,x6mKd5
0g>Hy 9N
X3@PqD
wqvqFG
ALj:kr-%L
9Z]^[%
4Z@g9&5s
IDATvxw`~
Obz<<:mZ
b ol8F
N0cBo^8Bq
y|^r;x
[=SXP/o8i,]
sw|vye/
(Whxur?
_jwa 4+n
02"i6h6
Q.J@\Z,
p^3yF$
wpNt1s_;SW^s-`5
3Bw}ILQ
,_:a~|.\+d+
Uyf7mf&k.
5V07[EE~te
.b i2}_
C5!0#+'Q
}32bymr,
J:pK_G
}(mW :+U
VR7vI*mMk3+
6ZkouV
uNuOE2<`F-u\:
xfXdbm/q
38Pp*Z
\RgM:v=&y%
;?_ A}FN
Dl;I(+ B]T96rVv
F/ 7XS[\p=q
mVy^Wf
1]_\W2
_+x>QQ7 &F6GG
9f}@ E
<I`&d[K
.@[ dqwmE)
1T~u {n#ft
HmHRU8SH
;R9BUgKPU/!
Zk"k@1ckoPj,D
^rl0]+
/58!9Q
.r.|}?GV
Qzgd?o$2L
UP%<3B-5
l\sMuBL
EoXV8}
I="cO_&)
#fBiPYd
nJR7rZu'`0~hF
e1j9NJ
Yrk'qD
M&EcsLp}9lVBT
oQ^$Qiy^
e1y&w,RZ
&n+[\<8
6_/qoJx.
F?susF({Y
4_1^6/w!
rD|~ad
tGjQ/hM
ma~9hgY5W
*ab"52A1q{
GejtX7>!J
([TJ]d
Tj~+mON
i7<s{o
[8^2~V
<Gn?`3
Rc?"clyw: X3pM
)4y!Er
.AwR{v
BX!SUCI=m:jraGi$gf\
!b,,bfv
&T#^,t
%;'d1W
Iba\Tw
/^h9):W
v&g'+$
$VjGfEQ"
J5Q4|w
@4>t>S9x!
d5G>CM
^za5|KI
iF~58Y}
iE4ZVZJ
aM^LN@ql
6smSrTtvn@
X,DgT g'
5iZ:9_
7\Q?\'
l\2Z)Fv
;(.4`j
hfjE][l
%.XjE{1NmsK'
:o!ilmJ
pKV&UF
;x _pj7
wRL}0UI'tAv>WFD
\cc;}sz:6/4
J*>?3mS
cN+,"T
$]/MpQ
8G#|8fU
_sfJaY+C
K)=RZE_f/ vk
3Ha| :_+
`jYkZ5rle5iwDh
RP9URXG^lnt5NM,u
An M2H\u%
t(YjO4Y
H&YE=Ll
bK!NIoY
51{c~{
\w)ZJW
1>IX^"ZM
_{C?dGGQ6g==
8($_=+*
zb~H@u
B>hZ1ar
*FLKG^!n*x*Ujs
Iv\}>Ui
of?H7'
_!c" ?
:h+WAE
<'GkU-N5v%/S&
l"_f1z
a}p{bUc4)
ha&Y\9Y
XW~*u[d
AM2V Xlp/
,cDpE#OGUf
YgL _XB_/
;vM)C|?
4P'fxO~$:2G
[92Cm4Pu
w|N@Q6
'RI=]elnMK2
%sU{g~
~->L =W
{)S<M2 }2S8e
E=w|!IH8rr
9T}[$/)w
j0~{CO
\cXA\*
9o?}t%PIi|)!h^mT
Zh)I\dr[pI/
sL?g#Q)H9
#7F1io}0EIx
)5.T,zw.
"j]Pl &
qE6 fK7; xT)
fORwG_
|.0jfNPqi
R:{`~0
}{K5V?
>wj8&#_
)Q*L%{E
QoP3R=L$\
IX2)Xf
ZPH{{e
EVdzz%
HTL8dA
IDATwEo !U
nQM_g.$rj
hMeL6t
wAxUj]
-54|P:H!e$I$> N?,_u
Kt9I;DQCL
!mo/*?
2RP;Uef bQ*
Y{6[>,n
HVE&g`3`wQ^Ln&8M
5 Cnd1
2Gwr-]a6s
:p^ @Vg_o
,RJo/l{
G{d~$H
Gv> EJZ
{L2=]aGGzX
y'%GfAM-N=
\Gc`DM[
@oWccKD:
Yf~[pe1jE@\rRf|Hd~
`C~b y1
^MP#c6&
fG-wR@7
0~Q6Uh(<Or
T}+ez{D
uvCKH!cM#!
AB@"M,,z
Vlx%El[-*l
_~_kkp?,
/7[pG>
7d*iG7
40@WL
`F*B'SvU
Q~T`2 q
CnJF,[
2C1/rY[C
Y0"l~x6;
%hd\Zt7<C&j8>
m@JOC#1(
*4YwUo?
f!?@Cx,It
pxRrczxJ =
\?>kI\ORL D
nD@w9RT"n
`,22'|
UCD.@535
Rr3HAI
%d!JGw
ydx4s0DM
6L)XS4{H5b
ggQ|iA
l0&~Q<
Oe*",IV
Lu+i?br,
tu@|-pd
M$%&zCdM
qY.ut5[!
<y =F -
i7WdlN
O[sgCcV
2)hxcr@~,B
I~,1:30
Wg#vB1<<
Gae026jt
gtA.KE
+&AT'6)
L!This program cannot be run in DOS mode.
`.data
.cdata
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
DWSensDebugBreak
DWNoSignOffQueueReporting
DWAlwaysReport
HKCU\Software
HKCU\Software\Policies
HKLM\Software
HKLM\Software\Policies
Microsoft\PCHealth\ErrorReporting\DW
3N/GB'
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
WatsonLaunchQueuedReportingInstanceVerification
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
1108160
Global\
Local\
UQW3WEPWh
EPu;uKEPVVVEPEPVuE
;|IWWWW
0j-PEh
PuxEPS
Mh_^[>C
UQVW>t
)WWFEP|
_^U39E
PhM_^@
0VW39}
3aVPhP
EEPSSSSSSh
EP]]]]]E
EPEPVVh
VVVEPV
URSWPQ$W=
QPR`;|xO,;t
QPRx;|aEw$
PQh;|OEw
PQX;|=Ew
PQP;|+h
F$C$F,t
0EPI_|
EEPREP
W3;v8Vt$
UQQSV5
0EP3SEPSu
EP1EPSu
uuuuu3
VVEPEPEPVVVVVVu
EEEEEPuEPVEPSuu
Pktxf{
W]tjfS
ROt\fK
SEPSjr
9]uI3G9
EPEPSSh
SSSEPS
EM3G<9^
HuiWEPE
QtPSSju
QEt&WEPFPSSv
w~oUXSVW
UQQEPEPu
EEPVEPj
PP:MQ.
UQSEPE
0^]_3[
3;Wt2l$
;u_^3]_^
3;Wt5\$
;u_^]3[f
[QSUVt$
r_^][Y
uSVt$
0D$ PL$
QR|$ s
;L$ w L$
;}2;u+_^]
l$(D$$=
0|$$L$(
0_^]3[
03D$(7
u5x1L$$4
r\$$l$(=d
u+@u&USWE
0fT$(f
r_^]3[
U(Vt$ ;t
D$(PL$
T$(RD$(VP
UD$$L$
03@UQE
H8\u8\u
f);_^[
E^_[UE
u_^[]UQS]
9]|39}
UQV395h
0VVVVVVVVj
C3;MMt
0u'EPSj
}tREPuWj
xYYt!E
UQQS39]
3^VWEPj
]3]'uYYt'E
0tU95d
0t@V5d
0tU95H
0t@V5H
0tU95p
0t@V5p
4^UQQS39]
EPtC9]tXj
t23GWS
tMW8tES_
0t+EPEPEPS
0;t"58
0;t"5,
0X@SE[Yw u
WEPVV5X
wMQj Pj
}W[YYM
6MQWPj
0WVP=WVu
0HWVu>}
E9^ E]Et
1EPEPt
#^QVt$
Vhu(!D$
;t%;t!
0f8MZu H<
0EPEPEP
=N@uaVEP
0E3E35
0N@EPj
+SVWEePEEEEd
Y_^[Q%T
SHLWAPI.dll
wnsprintfA
wnsprintfW
ADVAPI32.dll
KERNEL32.dll
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExA
RegOpenKeyExA
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
ConvertSidToStringSidA
AddAce
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
OpenThreadToken
OpenProcessToken
GetTokenInformation
CopySid
IsValidSid
InitializeAcl
AddAccessDeniedAce
AddAccessAllowedAce
GetLengthSid
EnterCriticalSection
LoadLibraryA
InterlockedExchange
FreeLibrary
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
VirtualProtect
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
GetCurrentThread
LocalAlloc
LocalFree
GetModuleFileNameA
GetShortPathNameA
OpenMutexA
CreateMutexA
GetCurrentProcess
GetModuleHandleA
GetProcAddress
MultiByteToWideChar
GlobalAlloc
GlobalFree
CreateProcessW
CloseHandle
GetShortPathNameW
GetLongPathNameW
lstrcmpiW
GetSystemWindowsDirectoryW
GetLastError
GetFileAttributesW
WaitForSingleObject
GetModuleFileNameW
CreateEventW
lstrlenW
InterlockedDecrement
SetEvent
InterlockedIncrement
RaiseException
LeaveCriticalSection
SetLastError
VirtualFree
VirtualAlloc
InitializeCriticalSectionAndSpinCount
TlsAlloc
GetSystemDefaultLCID
TlsFree
DeleteCriticalSection
TlsSetValue
TlsGetValue
_except_handler3
memmove
_c_exit
_XcptFilter
_cexit
__p___winitenv
_amsg_exit
__wgetmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
__dllonexit
_onexit
_controlfp
StringFromCLSID
CoUninitialize
CoInitializeEx
CoRegisterClassObject
StringFromIID
CoCreateInstance
CoRevokeClassObject
CoTaskMemFree
SHGetSpecialFolderPathW
SystemParametersInfoW
RSDS1xmH/~
dwtrig20.pdb
splab1\otools\BBT_TEMP\DWTRIG20O.pdb
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
970110070000Z
201231070000Z0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
%_L >|Q`2kBdyvT
-fh&:,
>8,(9IB
lUa|`-wL
UE:TNzmtN
[pir#Q~
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
:!W,Gb;;Z6Ti$m?
[WeIRT
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
970110070000Z
201231070000Z0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
%_L >|Q`2kBdyvT
-fh&:,
>8,(9IB
lUa|`-wL
UE:TNzmtN
[pir#Q~
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
:!W,Gb;;Z6Ti$m?
[WeIRT
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA0
060916015300Z
110916020300Z01
Washington1
Redmond1
Microsoft Corporation1'0%
nCipher DSE ESN:D8A9-CFCC-579C1'0%
Microsoft Timestamping Service0
Q2;7:%oaA
U~AS(Tp;'H~C2/&J
SF?$~|,y
(EO6kS
JQ|,jsrW
K'3m2h
oN?4K;AC0D
=0;09753http://crl.microsoft.com/pki/crl/products/tspca.crl0H
,http://www.microsoft.com/pki/certs/tspca.crt0
6 3|._P{a1
_W^;C?aq}{nZ0
5%aN2t+z
N~7_gFKm
ntipKe
o*"73:r0
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA0
060916015300Z
110916020300Z01
Washington1
Redmond1
Microsoft Corporation1'0%
nCipher DSE ESN:D8A9-CFCC-579C1'0%
Microsoft Timestamping Service0
Q2;7:%oaA
U~AS(Tp;'H~C2/&J
SF?$~|,y
(EO6kS
JQ|,jsrW
K'3m2h
oN?4K;AC0D
=0;09753http://crl.microsoft.com/pki/crl/products/tspca.crl0H
,http://www.microsoft.com/pki/certs/tspca.crt0
6 3|._P{a1
_W^;C?aq}{nZ0
5%aN2t+z
N~7_gFKm
ntipKe
o*"73:r0
E Xzg0
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
060916010447Z
190915070000Z0y1
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA0
>3I1(d PK
ipfx'f
Y")/@V
vmdmJT
hGv\/}%
|vlnz>q
N+"\hE/
3[AXn ,HoCj
[pir#Q~
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
oN?4K;AC0
"Flm|"F
TeJ(&`
:ObX09
2@S=f7"
wTQ:rD#0
0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority0
060404174414Z
120426070000Z01
Washington1
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 2000 Microsoft Corp.1#0!
Microsoft Code Signing PCA0
>Pz$%v!*VN
8NcQ=7c
#;q@4GkF's
X1AU8~XYy%*/
JxDRGOg{
}q<+f-+
[pir#Q~
r0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
%+K]rT*
VHG$ z
3^KIP9&:
B&iz+f
80>!0b
Washington1
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 2000 Microsoft Corp.1#0!
Microsoft Code Signing PCA0
060404194346Z
071004195346Z0t1
Washington1
Redmond1
Microsoft Corporation1
Microsoft Corporation0
< ].]rj
#nv<Y\?s3&baybnn
]DfV@v$.D0
/[[^_Rs-E
Mi]k)Q78FI
!`a7C=
%+K]rT*
Str0p1+0)
"Copyright (c) 1997 Microsoft Corp.1
Microsoft Corporation1!0
Microsoft Root Authority
D0B0@><:http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O
3http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
w>hz~\C
V&^3%z^
[57?Ck E~UHeS4
xnPHCZ
-P[@XX/m7y1
Washington1
Redmond1
Microsoft Corporation1+0)
"Copyright (c) 2000 Microsoft Corp.1#0!
Microsoft Code Signing PCA
2=p5ahr0L
http://office.microsoft.com 0
}ud-&I
UQ|Z]Zj
=jrPN}C
F\"U*
Washington1
Redmond1
Microsoft Corporation1#0!
Microsoft Timestamping PCA
070314004034Z0#
g&SF1wC4wi
$gf3(o~+Z`k$0
yW6c$s3
^rcG"&
NO-cAQ!
=�5�+�5�1� �
+�Q�u�M�q�A�T�N�R�M�i�
+�8�7�J�J�T�E�Y�e�P�K�W�o�
4�J�p�n�~�L�J�J�d�p�t�T�
$�8�"�=�B�E�j�N�D�N�U�v�x�i�v�I�C�Y�E�B�
+�8�l�G�e�M�U�g�j�
:�O�M�g�`�h�
5�Z�y�q�d�Y�I�4�8�3�3�5�6�
'�&�#�$�!�-�)�8�-�<�6�:�-�=�<�@�p�V�D�Y�d�r�v�}�v�H�H�]�b�k�`�h�j�m�
S�E�N�S�.�D�L�L�
k�R�u�n�A�s�
I�n�t�e�r�a�c�t�i�v�e� �U�s�e�r�
T�y�p�e�L�i�b�
L�o�c�a�l�S�e�r�v�e�r�3�2�
A�p�p�I�D�\�%�s�
C�L�S�I�D�\�%�s�
"�%�s�"� �-�%�c�
W�a�t�s�o�n� �s�u�b�s�c�r�i�b�e�r� �f�o�r� �S�E�N�S� �N�e�t�w�o�r�k� �E�v�e�n�t�s�
d�w�q�.�s�n�t�
\�P�C�H�e�a�l�t�h�\�E�r�r�o�r�R�e�p�\�
Q�R�e�g�u�l�a�r�
Q�S�i�g�n�o�f�f�
Q�H�e�a�d�l�e�s�
W�a�t�s�o�n� �S�u�b�s�c�r�i�p�t�i�o�n� �t�o� �S�E�N�S� �N�e�t�A�l�i�v�e�N�o�Q�O�C�I�n�f�o� �E�v�e�n�t�
C�o�n�n�e�c�t�i�o�n�M�a�d�e�N�o�Q�O�C�I�n�f�o�
s�"�%�s�"� �-�%�c� �%�u�
E�v�e�n�t�S�y�s�t�e�m�.�E�v�e�n�t�S�u�b�s�c�r�i�p�t�i�o�n�
S�u�b�s�c�r�i�p�t�i�o�n�I�D�=�%�s�
\�D�W�R�e�p�o�r�t�e�e�N�a�m�e�
D�:�(�A�;�;�0�x�1�2�F�F�F�F�;�;�;�I�U�)�
D�:�(�A�;�;�0�x�1�2�F�F�F�F�;�;�;�B�A�)�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�E�4�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
W�a�t�s�o�n� �S�u�b�s�c�r�i�b�e�r� �f�o�r� �S�E�N�S� �N�e�t�w�o�r�k� �N�o�t�i�f�i�c�a�t�i�o�n�s�
F�i�l�e�V�e�r�s�i�o�n�
1�1�.�0�.�8�1�6�0�
I�n�t�e�r�n�a�l�N�a�m�e�
d�w�t�r�i�g�2�0�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �
�2�0�0�2�-�2�0�0�3� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� � �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�1�
M�i�c�r�o�s�o�f�t�
�i�s� �a� �r�e�g�i�s�t�e�r�e�d� �t�r�a�d�e�m�a�r�k� �o�f� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.�
L�e�g�a�l�T�r�a�d�e�m�a�r�k�s�2�
W�i�n�d�o�w�s�
�i�s� �a� �r�e�g�i�s�t�e�r�e�d� �t�r�a�d�e�m�a�r�k� �o�f� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
d�w�t�r�i�g�2�0�.�e�x�e�
P�r�o�d�u�c�t�N�a�m�e�
W�a�t�s�o�n� �S�u�b�s�c�r�i�b�e�r� �f�o�r� �S�E�N�S� �N�e�t�w�o�r�k� �N�o�t�i�f�i�c�a�t�i�o�n�s�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
1�1�.�0�.�8�1�6�0�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
<�<�<�O�b�s�o�l�e�t�e�>�>�
d�w�t�r�i�g�2�0�.�e�x�
Process Tree
-
091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe (1064)
"C:\Users\Administrator\AppData\Local\Temp\091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe"
- MSWDM.EXE (2112) "C:\WINDOWS\MSWDM.EXE"
-
MSWDM.EXE (3008)
-r!C:\Windows\devB824.tmp!C:\Users\Administrator\AppData\Local\Temp\091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe! !
- MSWDM.EXE (1192) -e!C:\Windows\devB824.tmp!C:\Users\Administrator\AppData\Local\Temp\091BB3A82A7144B5C9A492942C03E8042FC03DB66BF8129BAB4C73EAB29537F9.EXE!
- 091BB3A82A7144B5C9A492942C03E8042FC03DB66BF8129BAB4C73EAB29537F9.EXE (2004)
091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe, PID: 1064, Parent PID: 2284
default registry file network process services synchronisation iexplore office pdf
MSWDM.EXE, PID: 2112, Parent PID: 1064
default registry file network process services synchronisation iexplore office pdf
MSWDM.EXE, PID: 3008, Parent PID: 1064
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 192.255.255.255 |
| 114.114.114.114 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
No TCP connections recorded.
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 139 | 192.168.56.255 | 78 |
| 192.168.56.101 | 139 | 192.168.255.255 | 78 |
| 192.168.56.101 | 139 | 192.255.255.255 | 78 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 72fc3fdced04ed8d_devB824.tmp |
|---|---|
| Filepath | C:\Windows\devB824.tmp |
| Size | 38.3KB |
| Processes | 1064 (091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe) 3008 (MSWDM.EXE) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 6d787fdf93de266ce25378fb362df011 |
| SHA1 | 00ed94c8d2041eecc24a69fe99e0fdbb043fafe3 |
| SHA256 | 72fc3fdced04ed8de4758a47d4ec124b6ec147da3841a61a1b411a158011eca5 |
| CRC32 | 7BA1B4DE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 14e33df5bdec3c79_mswdm.exe |
|---|---|
| Filepath | C:\Windows\MSWDM.EXE |
| Size | 80.0KB |
| Processes | 1064 (091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 14eb67c7e448d2f21867b60e673bcec8 |
| SHA1 | f82d76d1091c1cda0c5c86a9b2f7464b0ad0a263 |
| SHA256 | 14e33df5bdec3c799f6344bc0367745cad4ee4b5bcb62fb0b12745c3fdf586f3 |
| CRC32 | 9C526DCC |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e3b0c44298fc1c14_sys.try |
|---|---|
| Size | 0.0B |
| Type | empty |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CRC32 | 00000000 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 57c891aaafd927b9_091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\091bb3a82a7144b5c9a492942c03e8042fc03db66bf8129bab4c73eab29537f9.exe |
| Size | 118.4KB |
| Processes | 1192 (MSWDM.EXE) |
| Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 57c12312cade82e96237244dba79f14f |
| SHA1 | 5bf9595c81ab7aa80a98fac00458aa222b712fbe |
| SHA256 | 57c891aaafd927b93d0734f2c0a9668658ff918d4c5f12674889aba1cbe70410 |
| CRC32 | 6BA84F78 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.