0.5
低危
DACN
0.12
FACILE
1.00
IMCLNet
0.70
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
此可执行文件具有 PDB 路径
(1 个事件)
| pdb_path | f:\软件工程\驱动编程\ok\kernelyk\bin\i386\NtHook.pdb |
可执行文件包含未知的 PE 段名称,可能指示打包器(可能是误报)
(1 个事件)
| section | INIT |
动态指标
网络通信
与未执行 DNS 查询的主机进行通信
(3 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
| host | 161.35.49.148 | |||
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2012-07-12 10:56:30
PDB Path
f:\软件工程\驱动编程\ok\kernelyk\bin\i386\NtHook.pdb
PE Imphash
680b30d4cc6df1a35bb0bd838b26be70
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00001000 | 0x000059f0 | 0x00005a00 | 6.472408976389808 |
| .rdata | 0x00007000 | 0x000005d4 | 0x00000600 | 4.638615899628572 |
| .data | 0x00008000 | 0x0008f204 | 0x00041600 | 6.543069176402501 |
| INIT | 0x00098000 | 0x0000087c | 0x00000a00 | 5.180380007699909 |
| .rsrc | 0x00099000 | 0x000003d0 | 0x00000400 | 3.084203478284951 |
| .reloc | 0x0009a000 | 0x00000da6 | 0x00000e00 | 4.410002835171245 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x00099060 | 0x00000370 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library ntoskrnl.exe:
• 0x17008 RtlUnicodeStringToAnsiString
• 0x1700c RtlInitUnicodeString
• 0x17010 _strnset
• 0x17014 memcpy
• 0x17018 MmGetSystemRoutineAddress
• 0x1701c MmIsAddressValid
• 0x17020 RtlCompareString
• 0x17024 RtlInitString
• 0x17028 ZwClose
• 0x1702c ZwMapViewOfSection
• 0x17030 ZwCreateSection
• 0x17034 ZwOpenFile
• 0x17038 KeServiceDescriptorTable
• 0x1703c KeAddSystemServiceTable
• 0x17040 ExFreePoolWithTag
• 0x17044 ZwQuerySystemInformation
• 0x17048 ExAllocatePool
• 0x1704c memset
• 0x17050 KeDetachProcess
• 0x17054 KeAttachProcess
• 0x17058 PsLookupProcessByProcessId
• 0x1705c strstr
• 0x17060 _wcsnicmp
• 0x17064 RtlEqualUnicodeString
• 0x17068 KeSetEvent
• 0x1706c KeWaitForSingleObject
• 0x17070 ZwSetValueKey
• 0x17074 ZwCreateKey
• 0x17078 ZwQueryValueKey
• 0x1707c ZwOpenKey
• 0x17080 wcsstr
• 0x17084 _wcslwr
• 0x17088 _wcsnset
• 0x1708c ZwReadFile
• 0x17090 ZwQueryInformationFile
• 0x17094 ZwCreateFile
• 0x17098 RtlCompareMemory
• 0x1709c ZwWriteFile
• 0x170a0 RtlFreeAnsiString
• 0x170a4 ObfDereferenceObject
• 0x170a8 atoi
• 0x170ac RtlCopyUnicodeString
• 0x170b0 RtlVolumeDeviceToDosName
• 0x170b4 ObReferenceObjectByPointer
• 0x170b8 ObReferenceObjectByHandle
• 0x170bc PsSetCreateProcessNotifyRoutine
• 0x170c0 ObReferenceObjectByName
• 0x170c4 IoDriverObjectType
• 0x170c8 IoFreeIrp
• 0x170cc IoFreeMdl
• 0x170d0 MmUnlockPages
• 0x170d4 IofCallDriver
• 0x170d8 KeInitializeEvent
• 0x170dc IoBuildAsynchronousFsdRequest
• 0x170e0 RtlFreeUnicodeString
• 0x170e4 IoBuildDeviceIoControlRequest
• 0x170e8 IoGetDeviceObjectPointer
• 0x170ec ZwPulseEvent
• 0x170f0 ZwAllocateVirtualMemory
• 0x170f4 ObOpenObjectByPointer
• 0x170f8 ProbeForRead
• 0x170fc IoGetCurrentProcess
• 0x17100 _strupr
• 0x17104 PsGetProcessImageFileName
• 0x17108 _wcsupr
• 0x1710c PsRemoveLoadImageNotifyRoutine
• 0x17110 PsSetLoadImageNotifyRoutine
• 0x17114 PsGetVersion
• 0x17118 KeDelayExecutionThread
• 0x1711c IofCompleteRequest
• 0x17120 ExEventObjectType
• 0x17124 MmMapIoSpace
• 0x17128 MmGetPhysicalAddress
• 0x1712c PsCreateSystemThread
• 0x17130 IoDeleteDevice
• 0x17134 IoCreateSymbolicLink
• 0x17138 IoCreateDevice
• 0x1713c DbgPrint
• 0x17140 KeTickCount
• 0x17144 KeBugCheckEx
• 0x17148 RtlUnwind
• 0x1714c RtlAppendUnicodeStringToString
• 0x17150 strchr
Library HAL.dll:
• 0x17000 KeGetCurrentIrql
L!This program cannot be run in DOS mode.
&WHWHWHWI
H^RH^SH^QH^VH^VH^VHRichWH
h.rdata
H.data
B.reloc
|3_^[
`|$(t$,L$0
VWE33E
EPEPh
3uEPh]
rMEPh]
@@AAu3
@:u+@PVP_D
@@AAu3
@:u+@PWPB
@@FF:u3
@@AAu3
VSPVSP
@:u+@PPGA
@:u+@PP@
PQPPDP
S3;w*PG
;v2[_^]
@:u+tI8
;w)SSSS@
@:u+Pu
UQSV5Dp
WEP3WPj
;tTWuSj
W=33;v<K
EE3EPWWWEPh?
@@f;u|u
tL9]tGuj
EPuEWj
@@f;uu
@@fu+uQj
f0@@fu+D
GGfu:3
@@fu+D
M_^3[7
3WWj j
EEWEPEPh
PEPWWWu
@@AAu3
@u+@PWP7
@u+@PP<7
WPwPPjP
@u+@PVP(6
3Pi5\p
YY;u!hv_
;t&hr_
@u+@PVP4
@u+t|SWh_
YYu!h_
uVVj j
VEPEPh
;|*VVu
EPVVVu
SEPSSSu
p$SSSV
uVuWr2
9]t1Su
_WVEPWh`
WVEPWh`
@@fu+D
pWVEPWh`
_WVEPWh`
@@fu+ED
f0@@fu+D
WVEPWh`
@@fu+D
WVEPWh`
WVEPWh`
WVEPWh`
[f8@@fu+D
rw3}3h`
j0XjbfEEj
@uEPPP{P
u_[M3^,
VV0EVVj@P
u_8^!t 9]
8] tHSSEP
F`$MH M
u5SSSSEP
SV3W;u
t6jjYj
M_^3[<&
u0u,u(u$u u
E$F^PEP
} uuxtD9]$t$;u
6u9]$t9]
} uutMt.;u
PVPEt&u(Vu
3M_^3[#
EPEPt?
@@fu+D
@@fu+D
u ](u,Su$V]
@u+@PP#
V3VPj#
WVPWVP
@u+t?WDP6
@@FFu3
@u+t?WP
@@FFu3
@u+t>WPPPYYt"
PzPPmPYYtWP
@u+tWJPP=PYY
;uuh~a
E379ut
E E$u(E,E0e
eEPtEV
UQSVW`v
MQPE+EEEE
t+?t&=
VEESEP
t1>+u)t?
Ej0XfEj
3Y}E\b
@uEPEP}
|M_^3[
;uMSQW
VEVEPE
EPEPVVVj
VVVVEP
N;s3M_3^
PYYu|h(h
PYYuhh
PYYuThg
PYYu@hg
PYYu,hg
PYYu|h
PYYuhhf
PYYuThf
PYYu@hf
PYYu,hf
j@SPWhq
j@SPWhq
j@SPWhq
u$u>ct55q
PYYuxh
PYYudhf
PYYuPhf
PYYu<hf
PYYu(hf
"C;wwtX- "Ct
u}R*38
|HEP q
UQSVWhi
YEP3Sh
F@F8E5p
1E3PeuEEEEd
Y__^[]Q
:E_^[]E
EPeuEEEEd
URPQQh\
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
UQPXY]Y[
NtCreateUserProcess
NtShutdownSystem
NtDeviceIoControlFile
NtQueryValueKey
NtCreateProcessEx
NtQueryDirectoryFile
HTTP/1
HOST:
REFERER:
REFERER:
114.112.36.195
119.147.146.35
119.147.146.16
119.147.146.31
119.161.218.126
122.228.113.10
114.112.36.116
119.147.146.59
119.147.146.58
119.147.146.57
119.147.146.47
61.164.154.210
61.164.154.218
121.14.11.61
122.228.113.9
114.112.36.114
119.147.146.218
119.147.146.88
119.147.146.87
119.147.146.86
61.164.154.215
119.147.146.52
119.147.146.54
119.147.146.53
119.147.146.51
61.164.154.223
218.6.25.204
119.147.146.50
119.161.218.29
119.147.146.56
61.129.69.28
121.14.11.177
114.112.36.113
211.103.159.111
219.238.235.66
219.238.233.196
219.238.237.137
219.238.237.149
219.238.237.133
220.181.126.17
218.6.23.40
220.181.66.96
59.57.12.78
220.181.24.13
119.188.2.221
125.46.41.169
125.46.41.165
221.204.202.40
220.181.156.231
220.181.141.115
220.181.141.114,
220.181.141.113
118.145.31.212
220.181.156.230
61.55.184.20
124.238.243.54
220.181.141.103
218.84.244.45
218.84.244.44
218.84.244.43
218.84.244.42
218.84.244.41
218.84.244.40
218.84.244.39
218.84.244.38
218.84.244.37
218.84.244.36
218.84.244.35
218.84.244.34
218.84.244.33
218.84.244.32
218.84.244.31
119.147.146.32
119.147.146.27
119.147.146.55
safemon.dll
CORAL.EXE
115BR.EXE
TTRAVELER.EXE
NAVIGATOR.EXE
SAFARI.EXE
CHROME.EXE
OPERA.EXE
THEWORLD.EXE
MAXTHON.EXE
FIREFOX.EXE
GREENBROWSER.EXE
360SE.EXE
SOGOUEXPLORER.EXE
QQBROWSER.EXE
IEXPLORE.EXE
EXPLORER.EXE
SERVICES.EXE
dw.ini
wm.ini
NtHook.sys
ehdrv.sys
epfwtdir.sys
TSKsp.sys
TCSafeBox.sys
TsFltMgr.sys
mp110003.sys
KVFg.sys
SysGuard.sys
Kvfw.sys
KSysCall.sys
360AntiArp.sys
sysmon.sys
kdhacker.sys
kisknl.s
kmodurl.sys
rfwtdi.sys
rsndisp.sys
hookport.sys
QQPCTRAY
TSVulFW
avtmon
ksfmon
safemon
www.xxooxxooxxoo.com
RSDSPK!]5Nr{ c
\ok\kernelyk\bin\i386\NtHook.pdb
PPPPPPPPPPPPPPPP
HTTP/1.1 302 Redirect
Location:
HTTP/1.1 307 Redirect
Location:
<html><frameset border=0 frameSpacing=0 rows="*,0" frameBorder=NO><frame name="main" marginWidth=0 marginHeight=0 noresize src="
"></iframe></frameset></html>
fGLgf&
f&=tu&}
&=Fuf&}
af3ff.
O<L9Pt
QW;uQf
_YQWju7
D$,|$8)6GF3D$0*-
"\$(|$,
f;MZuC<=
7 H}>_L
1I=Ar
a`1PP3V
VWPPP3U
QRVPWQQQ3U
4$vPv(W
`l$(E<T
;|$$uZ$
;ntosuiK
krnluYK
.exeuI{
8ntosu
8`KINGKLEISSNER
`KINGKLEISSNER
XESPPhCRAPEISG
COOLmov PK
L!This program cannot be run in DOS mode.
h.rdata
H.data
.reloc
VV0EVVj@P
u_8^!t 9]
8] tKSSEP
F`$MH M
u7SSSSEP
EE3EPWWWEPh?
ESVW3h
@@f;u[
VPHRPj
P2WRPj
|+SSWPSSS
f0@@f;u+D
f8@@f;u+D
_WVPWh
@@f;u+D
WVPWht
WVPWhh
M_^33[
!!!!!!!!!!Read Or Write HD Error Code====0x%x
IoCallDriver 0x%x fail 0x%x
RSDSWX^M)L}@p
\ok\nthook\bin\i386\StartDriver.pdb
ObfDereferenceObject
ObReferenceObjectByName
IoDriverObjectType
RtlInitUnicodeString
IoFreeIrp
KeSetEvent
IoFreeMdl
MmUnlockPages
DbgPrint
ExFreePoolWithTag
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
IoBuildAsynchronousFsdRequest
ZwClose
ZwSetValueKey
ZwCreateKey
ZwLoadDriver
ZwWriteFile
ZwCreateFile
ExAllocatePool
memset
KeTickCount
KeBugCheckEx
ntoskrnl.exe
80G0P0b0}00000
1>1n1111111
2F2f2o222m33M4p4|4444444
5 5J5^5r555555555
0 0$0-040
L!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
^UVWh*
+t%WPD$
N<Qn,~8~0~4
VdRnT~`~X~\
3PfL$"
3QfT$"
ESVWPEd
Y_^[M3z}
MWVURSM!
uZ},JS]
REPMQ&!
T]CEEMQ~
SUVWh +
SWPT$$
_^uTD$
D$(UVW]
fdt/fet)f
ED$%D$(LhD)
L$(QD$,KD$.RD$/ND$1D$23D$32D$4.D$5DD$6D$7D$8
stu3D$
L$4_^]3
WD$ D$$D$(D$,
|$0j0fD$$
fD$"j0v
u&D$0P
D$$3h+
_^[33m
D$(PVT$,Vh+
_^[33l
|$4P q
@u++Q$
@u3D$ D$$D$(D$,$
j0fD$&|s
u&T$0R
_^[33&j
WD$ D$$D$(D$,
|$0j0fD$$q
j0fD$&q
u&D$0P
_^[33h
SUV+W333
Rt$ \$4f
VuD$(P
@u+PD$
T$,RPg
_^][3\g
D$ D$$fL$
_^[33d
t$pfD$bD$d3
D$0EfT$4D$8D$9D$$PfL$*L$LD$Mj0ak
AQ+FV$
j(3fD$2fT$:$
\$dj0Yj
RjPfD$
D$)3fD$&fT$(j
fD$ND$L$
fT$(T$8$
D$0fT$:T$8$
_^[33_
SoUpVrkWD$h\D$iAD$jD$kD$llD$miD$ncD$oaD$ptD$qi\$rD$snD$t D$uDD$vaD$wtD$xaD$y\D$zMD${iD$|cT$}\$~D$
D$8MD$9iD$:cT$;\$<D$=s\$>D$VD$]D$ch
PD$GfD$HtD$I\D$JND$KeD$LtD$Mw\$NT$OL$PD$Q\D$RC\$SD$TnD$UnD$VeD$WcD$XtD$Yi\$ZD$[nD$\sD$]\D$_bL$`D$a\T$bD$caD$dsD$fh\$gD$hnD$ieD$j.D$lbL$mD$n
L$ Q%j\$
D$(D\$)D$*cD$+uD$,mD$-eD$.nD$/tD$0sD$1 D$2aD$3nD$4dD$5 D$6SD$7eD$8tD$9tD$:iD$;nD$<gD$=sD$>\D$?
D$ D$!sD$"\D$#D$$sD$%
PL$ QR
D$$L$(X`
_^][3LZ
RL$(QPj
D$ D$$D$(D$,D$
QPVD$ PVj
SUV3SSh
QVPSS\$4
333;T$
^][3cW
aVDWsT$
T$"eWD$
D$ LD$!$D$"_D$#RD$$L$%T$'D$(fD$)D$*uD$+lD$,tD$-CD$.rT$/D$0dT$1D$2nD$3tD$4iD$5D$6lL$7D$8#D$90D$:
VpWk.|$
RD$4L$8D$<
t$,\$$h
W|$$WjSj
W|$ WjSj
W|$4WjSj
t$,\$$C\$$
@u+@PP
ABu|$ l$
@u+@PfP
ABu|$$tGM
ABu|$(tHU
@u+@PO
ABu|$,tHE
@u+@P}O
ABu_^]
@u+@PN
ABu|$ S
@u+@P}N
ABu|$$K
@u+@P-N
ABu|$(C
@u+@PM
ABu|$,S
@u+@PM
@u+V@P$
@u+V@P$
t$8D$4
@u+@PM
@u+@Pj
@u+V@PWU
@u+@VP
@u+W@PVZU
SVWPEd
@u+@PV
@u+@PWE
SUVWVI
UV3SWR
U\$ \$$!
T$ESR\$L
PL$ hT0
PL$$QU
RD$ hx0
RD$$PU)
QT$ h0
QT$$RU
PL$ h0
PL$$QU
RD$$PUp
QT$$RU
@:u+t7$
_^][3:
^]UjhN
ESVWPEd
Y_^[M3`8
SUVWD$
T$(RVD$0(
L$(QVE7
V3qhX1
_^][3(6
SUW3Sj
@u+PT$8VRF
_][3R5
|$@D$@PSfh2
_^3[$P
D$<3D$ED$IfD$MD$O2
D$%D$)fD$-D$/D$
L$ T$$
@:u|$0+OO
L$hQh2
T$@Rh2
T$,Rh2
@:u+L$`q
A:u+A;v.@;r)I3;~
;v/F;r*I3;~
_^]3C0
^]QUl$
u6NhSQ4<
RFrP <
^]YUl$
t/SV\;
FdUPK;
3D$aD$eD$ifD$mD$o`3
D$mD$qfD$uD$wD$
L$hT$l
@u|$P+OO
@u|$d+OO
L$`QhL3
L$tQhL3
t-@;r(I3~
v,F;r'I3~
t/@;r*I3~
L$ QR5
D$RD$VfD$Z3
D$83f$
D$?D$CD$G3
L$|T$2
@u|$<+OO
@u|$(+OO
@u|$x+OO
D$uD$yD$}$
D$mD$qD$u$
L$LQh3
D$XPhK,
L$8Qh3
D$lPhK,
t/@;r*I3~
v,F;r'I3~
v,F;r'I3~
D$ PQ3/
D$43D$9D$=D$AfD$ED$G<4
D$DD$HD$LD$
L$,T$<
@u|$x+OO
@u|$(+OO
@u|$<+OO
t/@;r*I3~
v,F;r'I3~
v,F;r'I3~
t/@;r*I3~
3D$-D$1D$5fD$9D$;D$
@u|$(+OO
T$8Rhp4
t-@;r(I3~
3D$9D$=D$AfD$ED$G4
D$ED$IfD$MD$OD$|$
L$DT$<D$xqz_
@u|$(+OO
@u|$<+OO
@u|$x+OO
3jcPD$eD$iD$mD$qfD$uD$w$
RfD$!D$#hK,
D$8Ph4
T$XRhK,
D$LPh4
D$qD$ujcP$
t2@;r-I3~
v'F;r"I3~
v,F;r'I3~
D$$L$$Q$
P\$pD$$@
;D$ D$
T$$RU#
D$ L$|
@u|$x+OO
t2@;r-I3~
T$$RU!
3D$IfD$MD$OD$ L$@T$D
@u|$<+OO
T$LRh4
t,@;r'I3~
3D$MD$QD$UfD$YD$[ 4
D$83D$=D$AfD$ED$Gf4
L$0T$x
@u|$<+OO
@u|$(+OO
@u|$x+OO
D$QD$UD$YD$]fD$aD$c$
T$LRh4
T$8Rh4
L$XQhK,
3D$eD$iD$mD$qfD$uD$w$
t/@;r*I3~
v,F;r'I3~
v'F;r"I3~
@;D$ D$
D$@VWj1D$
_^L$@3}
L$H_^3
uSj2Ph,
j;D$1j
T$0RP]
L$:QRH
D$DPQ3
uL$^QT$XRD$RPL$LQT$FRD$@P$
h@u|$hOG
@u|$h+OO
@u|$h+OO
@u|$h+OO
@u|$h+OO
L$$3QVD$,
D$-D$1D$5
NhQh83
FhPh83
ESVWPEd
Y_^[M3/
SVWPEd
@u+}OO
]UjhxN
ESVWPEd
Y_^[M3\
]UjhXN
ESVWPEd
Y_^[M3
T$<RD$(Pj
T$4RAWL$<L$(PQ
fu+W@P$<
fu+@VP$<
D$(P$8
D$ Ph?
u`L$ T$,R$8
uGtXL$
aU,E(M$RU PE
QRPQR0aE,M(U$PE QM
RPQRPM_^3[^
WaE,M(U$PE QM
RPQRP0aM,U(E$QM RU
PQRPQpM_^3[
USVW`E
a_^[]Wh07
@u|$0+OO
_^[33]
W3SSSSSSSS
SL$$Qj
t59|$ t/
;t&ST$
_^][3y
D$)SP\$0[
@:uSL$(Q
@PRh"CW
@PRh"CW
1E3PEd
u?\uPG
8\uHuFu
tA<\u/
Pt$(D$$
j@D$8j
T$0D$xWD$yiD$znD${SL$|D$}D$~0D$
L$xL$8T$ RD$4Pj
|$ |$$|$
PWWWWWV
C<At?<Bt;j
L$$QT$ RV
t$D$ L$$T$
j@D$ @,
T$ R$l
jBPWD$
L$LFL>
|$D.tZD$
t.L$DQV$`
%T$DRV$`
_^][3$
P$SUVW
3PD$8d
|0\u)V
l$0D$
@u+PVL$$
l$@s$N
8D$@|$4
Y_^][0jh
SPL$(t$0E
t2T$pRWV$
D$pPWV$
\$<\$,H
@:u+P$
L$(QRV^
t$$D$@
\$<\$,T$ L$DQR
Y_^][$
L$,T$0$Q
@K0QD$(
L$ _^]3.
@u+PR.
Q+UV_^]
3PD$Hd
PL$$D$T
L$$QD$('
uO_^3[Y
SH=QT$
$RD$dPj
L$`hX8
3fL$8D$4
T$PRD$
\S\$dVWP
tj@D$(j
QT$$Rj
$RVhl8
u#EpPNrQ
AuMpxr+
@u4+j|Qd
@u++V4R4P?
@u+j|V
@u++W4VQ
@u+PQ4R
t!VWj3hx
t!VWj3hx
0t%WPj3hx
.3VPf,
f;uS(Rj
3_^[M3I
3PD$$d
l$8t$4j
|$$D$(
D$$PD$
uD$ rD$ lD$"gD$#.D$$dD$%aD$&tD$'
D$,t$(j
L$0D$0}D$1
L$(3QD$
RD$(PD$ \D$"uD$#rD$$lD$&gD$'.D$(dD$)aD$*t\$+
48b@;rn
ESVWPEd
8EREEEGE_ESEZ]3HLPTX\`dh
%EE-E2E4sU MEE-E1E5UMEUME
qYrEE-E2E4UMEE-E1E5U
E0xUEUE(EEdE)ME
]EREEEGE_EMEUELETEIE_ESEZ]EREEEGE_DEEWEOERE]EREEEGE_EEEXEPEAENEE_ESEZ]
<QDR4PSV0Q
<RDP4QSV0R
<R(P4QSV0R
uT(Ph0,
<RS4PSV0Q
Y_^[M3
PPL$ QT$(RD$0PD$
WL$$QT$ RWWWP
L$<T$@G
L$(T$
D$@PUQRt$P
t$ @D$
<VL$ Qh?
PPL$ QT$(RD$ PD$4VL$HQT$HRVVVP
SUW|$(d@|$
l$LD$P
+l$ L$
T$<D$@
QRT$(D$
D$ PD$@j
L$$QL$@RPQ
(@uD$DT$H
D$0RPVv
D$4;D$
_][^<VF
AQVD$$
AQVD$H
3PD$(d
D$<T$8j
Y_^][
3PD$(d
L$@D$@{
@u+@PD$
L$@D$@t
Y_^][
@u+V33
DB|^jhx
3PD$(d
L$@D$@t
D$@D$@Pj
L$@D$@t
D$@7V'
Y_^][
3PD$(d
L$@D$@bW
L$@D$@u
Y_^][
Ul$LVWE
|_^][@
3PD$0d
D$Dt$@j
D$DD$8
t$$\$(
t$4\$8
L$(Qh`/
PQSUVW
t$ D$$
QhGPRF
VDQN,j
RV(QNLRj
D$ PhP;
V3H;Ht&;
3PD$$d
D$$Ph,<
D$(PhT<
D$<3SF
~pNDQ^0F$
VDRFLS
PFp~\n`V ]
N,V(QRFdFpV
NdVDSSW|$$SQRFlSSUFTSFhNDPQ
NDSSVxRFXFhSPQ
NTVHQR
V,F(RPSSN4QT$4VhB
v,^ Ft
PQSUVW
QNxRV`
~0;~,}
;~,|D$
NDV(PFHUj
~,N\+O
~`U&RjUj^4SL$(
n(3~1d$
J#;F8|
F@N,;~<|
RVDPQRUSPFLQPT$0O
QNPRPUSj
QT$0F
3~>W+2v
UV33l$
:;9t_4+9:9l+
;r_^][Y
SVW3h?
VVD$(t$$t$
\$(;t:5
|$,u#L$
PL$ Qh
@u+PQD$8PJ
@u+PQL$yQ*
$|$ ;\$
<|$,t$$T$(R
_^[3y}
ST$ h<
SD$ Pj
L$ D$ L$
L$ D$ ]L$
L$$D$$L$
L$ D$ ]L$
3j@D$,D$0D$<WP
WQ|$ D$$D$(D$,$
jDL$8j
T$4RD$
D$ D$$
L$tD$|D$x
RD$8Pj
Y_][$t
F N(jj
D$$t$ j
3PD$Hd
t$$D$
3t$P9t$(t$
~7D$<L$
@;D$(D$
~UT$<D$
@;D$(D$
PhD$ PD$P|$43~
F;|L$@Q#s
UVWh$1
PYV_^]
D$$D$8VPt$$t$<,
3_^[$X
j@D$8(
T$4L$8D$
L$ QPT$4D$
RPQT$,T$TR
@PL$XQ
T$0RPT$(
SUVW=
2_^][
T$4L$$Q
t$8T$$L$
D$$Ph >
L$$QUT$ UT$ t
@PD$$P
D$,PD$(QL$(T$
gL$ D$
V3WSSaSL$2L$=D$
liSL$0
Q\$(\$0t$,D$4MD$5oD$6zT$7D$8D$9D$;/D$<4D$=.D$>0D$? D$@(D$AcD$BoD$CmD$DpD$FtT$GD$HbD$ID$JeD$K)\$L
f9D$<u%T$
SL$ QL$
RD$HPQ3
_^][3a
L$#L$&D$
IAL$*L$-DtD$
D$!\\$ \$%SL$4L$;rRD$$D$0D$7D$H\$'\$1sD$
L$<L$@L$GPL$ T$"T$&T$-e\$7\$H\$IQ3h
D$(HD$,WD$4CD$7PD$8TD$:OD$;ND$>yT$AD$BmD$DCT$ED$FnD$IaD$JlD$KPD$MoD$NcT$OD$RoD$U0\$V
QD$ ~D$!MD$"HD$#z\$$SD$
rSL$1L$2L$:L$Cej
L$,T$,T$.T$AT$EtQT$XRD$5YD$7TD$8ED$9MD$:\D$;CD$<uD$?D$@n\$AD$BCD$CoD$Dn\$ED$GoD$HlD$J\$KD$L\D$ND$PvD$QiD$RcD$SD$TsD$U\D$V%D$WsD$X
VT$0L$`D$0HD$1oD$2s\$3D$4
VWD$LPD$LgD$P
QT$<D$<D$@D$DD$H
T$LR$,
8L$HD$DT$<VW|$HL$
QT$ D$$D$4
8L$HT$<D$DS\$DVL$
QRD$(D$8
t1N$t*@
N(PQV$
~(9~$u
SU33V;W
W(9W$u
^(\$$>j
NHn$EUF,
FDHFLVPO(QW V$F0G(j
RPW NDF8W(j
QRW F<K
PG(PW
V0tMV8tFV<t?t;WF
_^][_^][
3;Vtap
;tZ9H tU9H$tPH
n uxN(F|
u3F _^]3[
u&NDV<fDJ
F _^]3[
F _^]3[
PF(PV$
V(PRV$
N(PQV$
PF(PV$
V(QRV$
H_$^_^
SV3B$JDB4B<WftHJDz<3L
rdrTrl
r`r@^JtBpBX[
NdNTVd
NTVdF$+-
NdRNTR
tg-NT|
RVd+RPV
UVk$WCdS4Kl++u
K$);rq{0
shKdCT++
shsDKdK<+
t`KlsdRS0
r$SdC0KP<
3KL#C@
s'V6Fl
rAF@NPVd~03
~L3N<#3F@f<AF,N8#f<AV@F<fNdf
Pt'VdF$+-
fFdf+Fh
rYHFXVdF0~@B3
~L#3F@f<AN,F8#f<PN@V<fFdf
JFXHFXu
NdNPFX
3NL#F@nVdF0
FdQFTw
tqPNT|
RVd+RPV
FdQFT.
Y_^3]Y
SUVW|$(w$GtWdO0opD$
t$,W0D$
D$(8D*
W,G8#3f4PD$
$D$ ;w
QSUVt$
s'VFl\$
rAF@NPVd~LN03
N<3#3F@f<AF,N8#f<AV@F<fNdf
PVXFhVpF\nXtXFx;sOVdF$+-
VdFlNp
VlFpNdA
Nd;w>F@NP~03
~L3N<#3F@f<AF,N8#f<AV@F<fNdf
PFpHFpuNd
I;u2NT|
FdQFTc
VdNlBIVd
NdFlAHF`
NdFlF`t\FdN0
RVd+RPV
H_#^][Y
Y_^]3[Y
G(RPW$
F4F0F8F
W(VRW$
N$W(QRW$G(VPW$
WVF,N8
0D$8S\$8U
C0V;WT$
lT$HD$$RL$,PT$4QD$<RP\8
L$\T$8D$<QL$DRT$LPQR.)
K,T$D;u%C0s(;t
uqD$L|$HPWSS4h7
D$LT$Ds
D$ u"C(;t
N(PQV
L$ ;rT$
VQT$@L$DRQT$,L$0RS
T$8D$<L$
VRT$(PQR#
N(PQV$
T$DPVSS4w#
C K4>V
D$Hs k
L$LQP@
8SK4N1
L$Hs k
D$HK L$
S4T$LRWSH0
T$LRP@
T$PS4/
F(RPV$
QVSC4"/
L$LQVF
F(RPV$D$
V(QRV$
T$HVSS45.
L$Dt$H|$
K4L$LQVS-
K4PVS-
L$Dt$H|$
>SK4F-
VWG(N(PQV$W$F(RPV$N(WQV$$3_^
3WN|~P~
|$ WUSVz
@APQVd
VL$ D$(c
T$ RVT
D$$SUV
L$$T$ T$0
t$4L$033
`t$ fB4
+t$$<f4
t$4L$0D$
HL$0D$
D$0tbT
;t"+3f
f>D$0HD$0ut$4l$
NfAuD$0|6t$,x
o]_^[Y
GD$ D$
|$$3Bf ;
+;~g3ft
+;~g3ft
+;~f3f
+;~f3f
+;~f3f
Ol$$|$
+;~_3ft
f+fL:f
;~ql$ 3f
+;~j3fT
+;~b3f
SUVt$ W|$(V F
L$(N0T$$V4D$
D$$L$(F ^
WVQR33
L$@N0T$<V4
L$$D$,
L$$D$,
D$$D$$+
L$$D$,
L$$D$,
D$$D$$+
N(;rD$
u#F0N(;t
ucV4T$,RWV
V4D$8F0
u#F0N(;t
ucV4T$,RWV
V4D$8F0
V4T$,RWV(
L$$D$(N ^
D$$L$(F ^
L$,QWVV4
AML$(V4T$,RWVx
;t7L$$^
N L$( O
L$$D$(N ^
D$$L$(F ^
L$$D$(N ^
QSW|$ j
SQL$ RUPj
W(SRW$
|$T|$X|$\|$`|$d|$h|$l|$p|$t|$x|$|$
lTDTEJ(u9t$Tu $(
9:_^]3[
D$X+l$
;u;T$,v
\T+3x%A
T+t$Dy
|$@|$<
t$4PLTT$ L$(T$(
;v+l$$+l$(
D$@|$L
t>|$8D$
t$@L$0
T$LD$1+
`T$0 +$$
;D$<s!L$@
;D$<rL$
|$8M#;t l$
M#;uT$
HD$$D$
L$(T$
@L$(L$,B;D$
QS\$,UVC(Wj
T$4D$$l$
WQL$4RT$,PQh
T$4D$(L$
WQL$8RT$(PD$0Qh
RQ(u$T$(:
w[C(WPS$
3_^][Y
u K(WQC
K(WQS$
S(WRS$
k4W{0F
C4s(;t$
D$,L$(SU(@
Q Vq0Wy4D$
L$ t$4#3
L$,++t$
+l$8](;sYm,l$(+
;rl$(+;v!+
GFMut$8v(
GFIul$
GFIul$
GFIul$
r3L$<\$
+t$,\$,
\$8+S
{4_^]3[
tVt$<\$
\$8+S
+t$,\$,
t$,\$8+S
{4_^][
DDDDDDDDDDDDDD
:t3^[_m
U S39]
;tVEEE
B:t6t:t't
;t_+^]
:YY4VE
;t+^8]t
ru{vnM
tR:QuMPt<:Qu7Pt&:Qu!Pt
@AE9]r3_[
f1AA9U
ES3V;u
^SSSSS04
;u 8 t
SSjWVQRz[
j"^;~Ej3X
QujWVp
e^[M31
[]UWS}
@@fu3_[]
S3VW;t
^0SSSSS
EV3W;u
_VVVVV8
;u*f93t
@@f90u3
VVjSWQRX
j"N;~Fj3X
QujSWp
3:f90t3W
ja_f;w
AAf91u_
SVW3;t
^0WWWWW
AAKu;t
AAFFf;t
Ku3;uf
S3VW;t
^0SSSSSm
SVW3;t
^0WWWWW
AAFFf;t
Ku3;uf
VW3;tG9}
^0WWWWW
Wt1t'P
,ffffffE
Y]3PPPPP
^0WWWWW
X_^]UW}
pXPTPE
QTPTQXPXQ
`SSSSS
YY~T;u
EVSY9]t
uY3^_[
3;u19=
Y3@_^]
u$u WPSUWj
u&WVS"u
Iuu}]U
+EPRQL
3SEEESX5
PZ+t Q3
EEEEEEEE9
tNIt?It0It
$f;uUm\
EYY" uES
UQSVW5
;r@PuK
QPvYYu
3PPPPP
ItUhtDlt
HHtXHHt
4itqnt(o
YYY;-u
t-RPSW0
0@>If90t
@@;u+(;u
EPFPF\
u(9t M
`pM_^3[P
Flvli(
YYt:V5
PDYF,t
P6YF4t
P(YF<t
PYF\=(
~lt#W['
YYt4V5
WWWWWf
M9}u!N
YYt|+ ;u
@;u`3@
SVW39}
}O;]rOt
M+;rP})E
VPjYYt)EF
tAt2t$
Ej@j ^V0
1E3PeuEEEEd
Y__^[]Q
:^E_^[]E
9csmu)=4(
F$|3@_^
O3G}39
MOI;|9 M
SI VW}
HD9#U#
MLD3#u
]#\D\D
VW33};
VVVVVu
3PPPPP1
V@Y<v8V;
3VVVVV
;t$t j
WPWPWv
M_3[lj
8]tEMap<u
Zf1Af0A@@JuL
@;vFF~
XM_^3[gj
M'}_hu
P.Y^hS=p
3W;to=
t7t3V0;t(W8Yt
VYY^3j
Fpt"~l
j qY{j
RQMQVp
YY]VD$
0;u,^WWWWW
u+9uv&
E`p3[_^
ESV3W9
u8SS3GWh$
39]$SSu
;~Ej3X
3;tAuVWuu
t"SS9]
EVVYuMEYY
3;tuSW
PWu u5
u'YE;t
e_^[M3
u(Mu$u u
AAu+Hu u
DDDDDDDDDDDDDD
B(;r3_^[]
1E3PEd
EYF`[_^
Ucsm9E
PYY]3]
YYu,9E
GW#YY=
SBVC>=Yt1j
tNVSPn
3PPPPP
3Y[_^5
FA>\t>"u&
uUEPSS}
=?sJMsB
;r6P&Y;t)UEP
W33;u.
SSS+S@PWSSE
E;t/PLYE;t!SSuPuWSS
uOY]]W
u+@PEY;u
E3E3;u
3;v.jX3;E
X 9} E
AP _^[]
;}"+]t
|3Et^E
EE EE$h
u+t's C
KSVWT$
URPQQh
t;T$4t
;v.4v\
UVWS33333[_^]
33333USVWj
_^[]Ul$
Y}SYE;t
EU_^j
WWWWWe
WWWWW$
V34809u
u&C30'VVVVV
P4UM`8
<PVEP(
r3VVhU
QH++PPVh
,P+P5P(
\D+48;E
"0?@&Y1(
8+0_[M3^pj
WWWWW#
3]V3;|
WVVVVV
^SSSSS0k
f;v6;t
Map_^[;t2;w,,j"^SSSSS0
W>+~,WPV
Y/V|Yt
Y}3u;5
eE}hx,
Y+t"+t
+td+uD}
3PPPPP
P'EY3}
u@OdMGd
u wdSUY
FYYt,t(
3_^[];t
^0SSSSS~
SV3W;u:EP3FVh$
39] SSu
P#nY;t
ESjsEYu39]
e_^[M3c
Mnu$Mu u
q6yqv qqv$iqv(aqv,Yqv0Qqv4Iqv
Aqv89qv<1q@v@&qvD
qvTpvXpv\pv`pvdpvhpvlpvppvtpvxpv|p@
PoYF ;
PooYv$;5$
V]oY^]UV3PPPPPPPPU
$s ^UV3PPPPPPPPU
EPQEPEj
EPLnYM3/_
w/L;t8
-WWuuj
WWWWVuWu
DYYE;t+WWVPVuWu
ulYEe_^[M3{]QL$
YE;t'CH;r
9}uH;u
E;t CH;r
PSuQSu
t4VEYt vV5YYt
3"Ft|u
Fu^8Mt
MMc3;u+qj
_VVVVV8p
SSSSSn
F80t.G
E`p3_^[
^VMQMQp
XpSSSSS0
M_^3[U
;u+noj
^WWWWW0/n
FV/nYY
E`p3[_^
MNu]u-
^03PPPPPj
E`p3_^[
^VMQMQp
jSSSSS0i
M_^3[P
_WMQMQp
CjSSSSS8
EHE3}-
M_^3[O
et_EtZfu
VVVVV_f
]EuMm]]
3@3ht'
USVWUj
H3&NUh
P(RP$R
t:|$,t
;t$,v-4v
UQPXY]Y[
S3;VW|[;
t58t0=
]V3;|";
u$Nf04fVVVVV
EV395P
tVURPEPQ
PYYt}E
eMapYc
E`p:39]
8cWWWWW
WWWWWua
Y}V*YEE
SSSSS`
ffffffu
S3VW9]
u._SSSSS
v(}_SSSSS
E`p`E9X
8]tDMap;E
;t+3_^[
u ^VVVVV
MOEP3SSSSWEPEPs
E`p3M_^3[
M(OEP3SSSSWEPEP
E`p3M_^3[dC
^0SSSSS[
3PPPPPX
^3[XAWVU33D$
%#Vt1W}
_VVVVV8X
YY3^]3PPj
WWWWWSW
^]UWVSM
u'339\u
JB|j 3Y+@M
JBj Y+3B\M
3+BL1<
}3^j Y+
u'339\u
JB|j 3Y+@M
JBj Y+3B\M
3+BL1<
}3^j Y+
S3V3EE
F3WE}]u]]]]]]]9]$u LSSSSS
<+t(<-t$:t<C
]<+t<-t`}
+t HHt
B:t,1<
+JMtHHt
B:}OMEO?
tEPuEP,
3f;u BE
f;u!BC
u4}u+e
f;r#33f9EE
M_^3[<,
]EEEEEEEEEEEE?E
u}fu/u+u'3f;
;u0u,h'
VVVVViB
VVVVV=B
`EfUu}M
MMMMM3
3f;u GE
90t!uuE
EFFEM}
EMuUm
HuMu9Et
u4}u+e
33f9EE
f;wK3EE9
}fEEEEEf}V33f9u
E\3f;u
f~7}x+EMe
EM}Um
H}Mu9Et
u4}u+e
f;r#33f9EE
ufEEEEEfu
~(E]Mm
0K;]sE;]s
EM_^3[$#
K;sE;s3f
SVW}]3
SV3WEN@
Vw!Y^]
EPMP2hL
EPMPhdJ
u$~50d5VVVVV
PO5Y#5
$UQQSVWd5
SVWE3PPPuu
E_^[E]
UQSVW}
3PuEEd
3PeuEEd
t3@_^]
=csmu+O
8csmu8x
t*9csmu"A
.<j,hpK
GuQYKM
>csmuB~
YYtaSV
YYt)SV
Ht Hu4j
SEdU3@
t+>MOCt#u$u u
EPEPVu W
;Es[S;7|G;w
@u"u$u
;Er[_^
79>u&~
YuO39 ~
dYYhD(
EPEPuu W
(u$]u E
^EYETE
)u$u uSu
tR99u2y
u$Vu u
Q 3@_^[]U
mmVW_^]M
MYM$=pT$
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
Unknown exception
Y ntan
(null)
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
_nextafter
_hypot
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GAIsProcessorFeaturePresent
KERNEL32
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
1#QNAN
1#SNAN
string too long
invalid string position
bad exception
GetCurrentProcessId
KERNEL32.dll
GetCurrentProcess
EnterCriticalSection
DeleteCriticalSection
VirtualFree
GetTickCount
OpenEventA
GetDiskFreeSpaceExA
GetVersionExA
MultiByteToWideChar
CancelIo
InitializeCriticalSection
CreateThread
WaitForSingleObject
SetEvent
GlobalSize
Process32First
GetCurrentThreadId
CreateToolhelp32Snapshot
LocalSize
TerminateProcess
RemoveDirectoryA
LocalReAlloc
FindNextFileA
TerminateThread
CreateEventA
GetLocalTime
HeapAlloc
SetFilePointer
WriteFile
CloseHandle
GetFileSize
CreateFileA
DeleteFileA
LocalFree
VirtualAlloc
GetSystemDirectoryA
LocalAlloc
ReadFile
LeaveCriticalSection
bad buffer
bad Allocate
WS2_32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
WININET.dll
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
%s%d%s
GetProcessHeap
%d.%d.%d.%d
advapi32.dll
ConvertSidToStringSidA
xuetr.com
www.vccn.com.cn
znmq.com
mmsk.cn
luosoft.com
avast.com
mcafee.com
trendmicro.com
masterconn11.qq.com
dl_dir2.qq.com
geotrust.com
eset.eu
gj.qq.com
pdlxf_doctor.qq.com
fs_tcp_conn_doctor.qq.com
fs_report_doctor.qq.com
fs_conn_other_doctor.qq.com
fs_conn_doctor.qq.com
fs_conn_back_doctor.qq.com
xf_com_update_doctor.qq.com
cfg.xf.qq.com
c.pc.qq.com
eset.com
eset.com.cn
kaspersky.com
kaspersky.com.cn
micropoint.com.cn
antiy.com
antiyfx.com
jiangmin.com
jiangmin.info
sucop.com
kinsoft.com
pc120.com
ijinshan.com
duba.net
rising.net.cn
rising.com.cn
qh-lb.com
qihoo.com
360safe.com
360.cn
SnipeSword
WinHex
SysReveal
IceSword
Kernel Detective
PowerTool
HTTP/1.1
Connection: Close
\VarFileInfo\Translation
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\LegalTradeMarks
\StringFileInfo\%s\OriginalFileName
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\ProductVersion
SeDebugPrivilege
C:\Windows\System32\safemon.dll
kernel32.dll
LoadLibraryA
PUBWINCLIENT.EXE
FZCLIENT.EXE
BARCLIENT.EXE
CLSMN.EXE
CLIMN.EXE
SICENT.EXE
TLNBCLT.EXE
TLNBLDR.EXE
TLNBSRV.EXE
NBLASSIST.EXE
CLIENT.EXE
WXCLTAID.EXE
WBJFSYS.EXE
MKSERVER.EXE
MKDBRESTORE.EXE
FKCLIENT.EXE
MKCLIENT.EXE
NXPRUN.EXE
HINTCLIENT.EXE
SAFECENTER.EXE
SERVICESMANAGER.EXE
c:\windows\system32\wm.ini
hostnum
oldhost_
newhost_
xxooxxoo
about:blank
InternetShortcut
IconFile
IconIndex
startpagenum
startpage
process_
blockie
lockie
blockreg
lockreg
urlnum
URLLNK
filename_
iconfile_
IconIndex_
Folder_
\Microsoft\Internet Explorer\Quick Launch
jmpurlnum
jmpurl
oldUrl_
newUrl_
antinum
anti_file
ooxxooxx
cbtnum
domainnum
domain
domain_
ooxx@@
Allowdomainnum
Allowdomain
Allowdomain_
http://
/out.txt
Windows2003
WindowsXP
Windows2000
WindowsVista
Windows7
%s-%s-%s-%s-%s-%s
/t.asp?os=
/a.asp?ver=
\dw.ini
C:\Program Files\Internet Explorer\iexplore.exe
urlmon.dll
URLDownloadToFileA
C:\Windows\System32\wm.ini
CreateProcessA
CreateProcessW
Wininet.dll
InternetConnectA
\\.\NtHook
c:\windows\system32\gho.ini
explorer.exe
bad allocation
%s\shell\open\command
list<T> too long
Delete
Applications\iexplore.exe\shell\open\command
WinSta0\Default
Scroll
Num Lock
Insert
Snapshot
Execute
Select
DownArrow
RightArrow
UpArrow
LeftArrow
PageDown
PageUp
[CapsLock]
Backspace
[:] %s
:]%d-%d-%d %d:%d:%d
<Enter>
InterlockedExchange
SetCursorPos
USER32.dll
SetCapture
mouse_event
keybd_event
OpenClipboard
EmptyClipboard
GlobalAlloc
GlobalLock
GlobalUnlock
SetClipboardData
GlobalFree
CloseClipboard
GetClipboardData
SelectObject
gdi32.dll
CreateCompatibleDC
GetDesktopWindow
SetRect
ReleaseDC
CreateDIBSection
GetSystemMetrics
DeleteObject
GetCursorPos
CreateCompatibleBitmap
GetDIBits
BitBlt
LocalSystem
SYSTEM\CurrentControlSet\Services\%s
Description
\cmd.exe
Process32Next
OpenProcess
EnumProcessModules
PSAPI.DLL
GetModuleFileNameExA
OpenProcessToken
ADVAPI32.dll
LookupPrivilegeValueA
AdjustTokenPrivileges
SeShutdownPrivilege
IsWindowVisible
GetWindowTextA
GetWindowThreadProcessId
\OK\KernelYK\bin\safemon.pdb
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VERSION.dll
VirtualFree
InitializeCriticalSection
LeaveCriticalSection
GetProcAddress
VirtualAlloc
LoadLibraryA
WaitForSingleObject
SetEvent
CreateEventA
InterlockedExchange
ResetEvent
CancelIo
CloseHandle
FreeLibrary
GetTickCount
lstrcmpA
lstrlenA
GetWindowsDirectoryA
WideCharToMultiByte
lstrcatA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
lstrcpyA
CreateFileA
GetCurrentProcess
Process32First
CreateRemoteThread
OpenProcess
GetPrivateProfileIntA
VirtualFreeEx
GetModuleFileNameW
GetSystemDirectoryA
MultiByteToWideChar
GetLastError
CopyFileA
VirtualAllocEx
GetTempFileNameA
Process32Next
WritePrivateProfileStringA
DeviceIoControl
GetModuleHandleA
VirtualProtect
CreateToolhelp32Snapshot
GetVersionExA
WinExec
GetTempPathA
WriteProcessMemory
DeleteFileA
CreateThread
GetDriveTypeA
GetVolumeInformationA
GetFileAttributesA
CreateProcessA
CreateDirectoryA
FindFirstFileA
GetLogicalDriveStringsA
FindClose
LocalAlloc
MoveFileA
LocalFree
GetStartupInfoA
HeapAlloc
HeapFree
LocalReAlloc
PeekNamedPipe
WriteFile
TerminateThread
TerminateProcess
ReadFile
DisconnectNamedPipe
WaitForMultipleObjects
CreatePipe
GetSystemInfo
KERNEL32.dll
wsprintfA
PeekMessageA
KillTimer
SetTimer
GetMessageA
CharNextA
GetAsyncKeyState
GetWindowTextA
GetForegroundWindow
GetKeyState
LoadCursorA
BlockInput
DestroyCursor
MapVirtualKeyA
WindowFromPoint
SetRect
GetCursorInfo
ExitWindowsEx
PostMessageA
SetThreadDesktop
CloseDesktop
OpenInputDesktop
GetThreadDesktop
OpenDesktopA
GetUserObjectInformationA
USER32.dll
DeleteObject
DeleteDC
BitBlt
GDI32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
LsaOpenPolicy
LookupAccountNameA
LsaClose
IsValidSid
LsaRetrievePrivateData
LsaFreeMemory
OpenProcessToken
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyW
LookupPrivilegeValueA
RegOpenKeyExW
RegEnumKeyExW
AdjustTokenPrivileges
RegQueryValueA
RegSetValueExA
RegDeleteKeyA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteValueA
RegEnumValueA
RegQueryInfoKeyA
OpenServiceA
CloseServiceHandle
DeleteService
EnumServicesStatusA
LockServiceDatabase
StartServiceA
ChangeServiceConfigA
QueryServiceStatus
OpenSCManagerA
QueryServiceConfigA
UnlockServiceDatabase
ControlService
RegOpenKeyA
ADVAPI32.dll
SHGetSpecialFolderPathA
SHGetFileInfoA
SHELL32.dll
WSAIoctl
WSASocketA
WS2_32.dll
InternetOpenUrlA
InternetReadFile
InternetOpenA
InternetCloseHandle
WININET.dll
UuidCreateSequential
RPCRT4.dll
NetUserAdd
NetLocalGroupAddMembers
NETAPI32.dll
WTSQuerySessionInformationA
WTSFreeMemory
WTSAPI32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitThread
GetCurrentThreadId
GetCommandLineA
RaiseException
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
EnterCriticalSection
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
HeapReAlloc
HeapCreate
HeapDestroy
ExitProcess
GetModuleFileNameA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringA
LCMapStringW
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
HeapSize
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
safemon.dll
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
I x@oGAkU'9p|B
~QCv)/&D(
uuvHMXB
9;5SM]=];Z] T7aZ%]g']
?Zd;On
7?3=Bz
;1az?aUY~S|
D?$?9'
*?}d|FU>c{
zc%C1<!8G
u7.:3q
#2IZ9W
,%I-64OSk%Y
.?AVout_of_range@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCDialupass@@
.?AVCOneInfo@@
t.nodsafe.com
.?AVCManager@@
.?AVCFileManager@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVbad_alloc@std@@
.?AVCKernelManager@@
.?AVCKeyboardManager@@
.?AVRegeditOpt@@
.?AVCRegistry@@
.?AVCRegManager@@
.?AVCScreenManager@@
.?AVCCursorInfo@@
.?AVCScreenSpy@@
.?AVServersManagement@@
.?AVCServersManager@@
.?AVCShellManager@@
.?AVCSystemManager@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
0$0H0Z0d0t0y000000`1y111
2W2222
3J3a33333
5#585E5b5l555555
6;6_6666
8m8z8888888
969E9D;O;Y;d;n;y;;;;;;
<K<Q<(>/>=>D>q>>
?A?J?y????
1:1G111111"2)2D2y222T3^3333<4F4444
5:55555-676t666666
7 7$7(7,777
8)8W8k8{8888888=9Z9b9x99999999999
:a:|:d;~;;;6<;<S<]<<<<<<<K=o=
1 1\1z1111-2x222B3333X44466
7777+8w8-;;;
<1<}<<<;=J=S=Y=`=g=~==
0'14555(6T6y666
7 7&8K8~88`9
9999K:b:x:;g?u?
>00V1111
2222333
4!4j44
5Q5V5e556577488
99F::f;c<
=6=;=M==>>>>>
?8?????
.0T0`0f0k0r0000011111
2.2@2R2d2v2222222222
3 373I3y33333333
4#4.444445{66666666
7D7y77K8x888
9A9k999999999
:::R:X:t:::W;a;};;<<<<<<B=G=L=R==]>>>>>>>>>
?6?I?[?i?}??????
b1o11111111
233*4k4444
515H5N5T555555 7C7P7l7v77788
959;9B99
:::::::h;r;;
<*</<5<O<f<l<<<<<<]>g>>>>>>>
S00000011192`2x2}222222W3a3g33
4#4=4T4Z4v4444444u6
6666666h8
9&9,9O9_9e9n999
:J:P:X:v::::
;!;&;,;R;];b;i;o;t;{;;;;;;;;;
<"<(<.<T<_<d<j<p<{<<<<<<<
>B>^>f>>>>>>
?Z?a????
0A0P0000
1 1(131{1111G2X2g2m2222'30363f3k3}334444
7-7778999e::
;;3<<<<<
="===r====
>z>>5?]?m?????????
0#0)0>0o0t0z00000001 22<33C4I4O4V4^4d4l4q4v4{4444444444
5*555B5S5o5}55555 6%666V6_6k6s666666
737D7K7g7777
8=8Z8_8e8k8u8888888888888
9+959G9Z9m999999999999*:0:9:M:`:j:u::::::::::::
; ;;;;;;;;;3<A<h<<<O=c=r====
>">7>>>>>>1?K???
<0@0D0H0L0P0T0X0\0`0d0h0l0p000000
1-1]1{111
2Q2s2222}333b444-5H5N555#6w666
7`7g77718N8U888
9)9999/:K:T:[:i::::
;);P;W;u;;3<F<^<s=======b>???
70000<111
2D2t2222c3p33377s88888 969H999
::: ;:;G;l;;;;;;&<,<i<<<<<<<<
=+=1=E=g===
>->6>R>X>^>>>>>>
?y?????
0Y0k0z000000I1[1j11111192K2Z222222)3;3J3s3y3333
4h4s4444444
6L6o6u66666
777788
9#9/9S9_9p9v9999999<:::
;*;4;:;K;d;s;;;;
<,<H<Q<o<u<<<<<
=G======$>>>>>??????????????????????
W00000
1H1Q1X11111111111
20292@2U2h2n2222
3'3X3^3h3z33
4&4-4]4n444444
5&5-5?5R5d5}555555F6[6k6v6666A7\7p77777
8F8X88888z;;;;L<|<<<
=0=y===========(>,>0>4>8>B>k>>>j????
0b061111(232S2222
3"3;3{333333
4&4444C5S5m5y55555555
6-6966666666
8L8h8l8p8t8x8888
99-:H:L:P:T:X:::::;
<8<<<@<D<H<S<f<<<=======
>>>>>C?U?z???
0 0>0I0\0j0x00000
1%1,1J1V1`1j1111111
3 3F3V3333
444444
5 5$5(5,5054585n555555V6h666
7777777777
898H8e88094989<9@9D9H9L9P9T9X9\9`9d9h9y9
9999999999999
:6:<:A:I:^:c:{:::::::::A;;;;;;
<!<&<4<9<E<J<X<]<k<p<<<<<<<0>4>>>>>>>>>>>U?b?????
1$1,1u112222222
3 3$33383H333333
4*4/494@44444
5(5-525:5B5G5^5c5555556666
7 7F7L7m777
8X9_9|9999
; ;W;f;q;;;;
<$<E<X<f<<<<<<
=E=X=f={=======
>3>C>X>x>>>
?#?0?E????
0@0000
1&1I1]1
2/2<222222
3Z3e3v333
4'484f444444
5'555555
6"6C6T6e6w66666074787<7O7b7
77777777
888=8D8K888I9p9{9999999
:$:):2:v:::::::::::
;,;;;;D<K<`<<<<<<<<<<)=@=a={===========4>=>B>^>j>y>>>>&?-?6?f?x?????
*0J0c0n000
1,1w11111
2*2g2w2~22222
3L3b3334444"595?5t566667
8G8r888
9*9;9B9Y9_9t999
:!:&:,:i::::::::
; ;,;5;T;b;s;;;
<-<=<J<j<p<v<<J=>>>K?
0W0|00b233333333333333364n4}45
77778<9:
; ;i???
9H<}<;==
3 5$5(5,5054585<5@5D5H5L5P5T507@7J7!9/9K:Y:
25 6<==2>A>>>
3+4 55M6r88P:T:X:\:`:d:h:l:p:t:
a0f0000
1:1c1}11111U3d33
4j445}666666
77777777
8!8(8,8084888<8@8D888888
9,93989<9@9a99999999999*:0:4:8:<::::w;;;;F<<<<<<<
=>h?o???
]0o0000
1-1x22223f5x5555f6
8}9C;r====J>b>>>u?
1|22222"3)3/3T3\3l333
4^4c4m44444
5.5^5z555
66666666666
7 7'737<7A7G7Q7Z7e7q7v7777777'99
:(:::::
;%;1;=;b;k;t;;;;;;;;;;
< <_<c<g<k<o<s<w<{<
<<<<<<<<
?!?J?O?f???
030?1F1Q22
373333
8999;===========
>2>9>`>f>q>}>>>>>>>>>>>
? ?4?E?Q?_?e?q?w?????????
0.0n0t000000x1111112A2G2S2Y2i2o222222222222222
3"3'3-31373<3B3G3V3l3w3|33333333333
4(444442585R5a5n5z555555555
6B6u66666"7479999
:r:z::::
;F;v;;;;
<"<D<<<<===
>[>s>z>>>>>>>
? ?(?;?_??
0"0'0j2x2~2222222222
343:3E3J3R3X3b3i3}333333333333
8B8h888:::::
;$;-;@;J;V;_;g;q;w;};;;;;;;;
<y<<<<<<<<<<<<
= =(=8=M========>>>>>
?+?4?;?D??????
0&080\00
1012222
3&3Z3e3o33333
454H444
6)6<6N6i6q6y666666666
7A7R7u7:8d888J999
: :\:;>>>>>>>
000X1)2@3t33*4_4x4
4444444
5 5$5n5t5x5|5555
6 6A6k6666666666
8 8=8Q8W88R9X9q9w9X:a:m::::::
; ;.;f;p;;;;;;======:>@>V>a>x>>>>>
?1?c?|??????
0!0)050Y0a0m000$1*161111111111111111111114455555T6]777c88:::
;';W;;;<<
=M=S=====8>g> ??
90Y0I1r11Y394
535I555F6z66&777777$9B999
:.:;:@:N:);L;W;z;;
<0<`<{<<<<
= =%=5=d=r===
> >>>>(?7?S?a?g?w?|????????????
0G0d00u1|1111111111-22;3H5Z5l55555555777 8,8
9:: ;;;;;
<.<b<h<t<<?
)0a05v6G8P8|88888
9!999999
:9:::::R;];;;;;;;;;;
<#<)<?<Z<<m=
>>>> ?)?~???
p0}000
3-5:7@7E7K7R7d77777
8J8y89::;<)=/====>>A?
70?001m2s2
44o77::::::::::::
6k82:8:>:D:J:P:V:\:b:h:n:t:::::::
;);I;V;\;b;h;n;;;c<
=4=9=??
0D0u000]12|33a569 :,:*<===
>0>`>>>>
?J?z????
"0J0z000
1J1111
2J2z22
3@3j333#4`444405p55555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=====================
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>>>>>>>>>>>>>>>>>>>>>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?????????????????????
0!0&0,03080A0F0L0S0X0a0f0l0s0x000000000000000000000
1!1&1,13181A1F1L1S1X1a1f1l1s1x111111111111111111111
2!2&2,23282A2F2L2S2X2a2f2l2s2x222222222222222222222
3!3&3,33383A3F3L3S3X3a3f3l3s3x333333333333333333333
4!4&4,43484A4F4L4S4X4a4f4l4s4x444444444444444444444
5!5&5,53585A5F5L5S5X5a5f5l5s5x555555555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=====================
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>>>>>>>>>>>>>>>>>>>>>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?????????????????????
0!0&0,03080A0F0L0S0X0a0f0l0s0x000000000000000000000
1!1&1,13181A1F1L1S1X1a1f1l1s1x111111111111111111111
2!2&2,23282A2F2L2S2X2a2f2l2s2x222222222222222222222
3!3&3,33383A3F3L3S3X3a3f3l3s3x333333333333333333333
4!4&4,43484A4F4L4S4X4a4f4l4s4x444444444444444444444
5!5&5,53585A5F5L5S5X5a5f5l5s5x555555555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=====================
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>>>>>>>>>>>>>>>>>>>>>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?????????????????????
0!0&0,03080A0F0L0S0X0a0f0l0s0x000000000000000000000
1!1&1,13181A1F1L1S1X1a1f1l1s1x111111111111111111111
2!2&2,23282A2F2L2S2X2a2f2l2s2x222222222222222222222
3!3&3,33383A3F3L3S3X3a3f3l3s3x333333333333333333333
4!4&4,43484A4F4L4S4X4a4f4l4s4x444444444444444444444
5!5&5,53585A5F5L5S5X5a5f5l5s5x555555555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=====================
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>>>>>>>>>>>>>>>>>>>>>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?????????????????????
0!0&0,03080A0F0L0S0X0a0f0l0s0x000000000000000000000
1!1&1,13181A1F1L1S1X1a1f1l1s1x111111111111111111111
2!2&2,23282A2F2L2S2X2a2f2l2s2x222222222222222222222
3!3&3,33383A3F3L3S3X3a3f3l3s3x333333333333333333333
4!4&4,43484A4F4L4S4X4a4f4l4s4x444444444444444444444
5!5&5,53585A5F5L5S5X5a5f5l5s5x555555555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=====================
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>>>>>>>>>>>>>>>>>>>>>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?????????????????????
0!0&0,03080A0F0L0S0X0a0f0l0s0x000000000000000000000
1!1&1,13181A1F1L1S1X1a1f1l1s1x111111111111111111111
2!2&2,23282A2F2L2S2X2a2f2l2s2x222222222222222222222
3!3&3,33383A3F3L3S3X3a3f3l3s3x333333333333333333333
4!4&4,43484A4F4L4S4X4a4f4l4s4x444444444444444444444
5!5&5,53585A5F5L5S5X5a5f5l5s5x555555555555555555555
6!6&6,63686A6F6L6S6X6a6f6l6s6x666666666666666666666
7!7&7,73787A7F7L7S7X7a7f7l7s7x777777777777777777777
8!8&8,83888A8F8L8S8X8a8f8l8s8x888888888888888888888
9!9&9,93989A9F9L9S9X9a9f9l9s9x999999999999999999999
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:::::::::::::::::::::
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;;;;;;;;;;;;;;;;;;;;;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<<<<<<<<<<<<<<<<<<<<<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
333333333333333333
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444444444444
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|555555555555555555555555555555555
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666666666666666666666666666666666
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|777777777777777777777777777777777
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|888888888888888888888888888888888
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|999999999999999999999999999999999
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:::::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=================================
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>>>>>>>>>>>>>>>>>>>>>P?\?h?t???????
<<<<<<<<<<
555;;;;;;;;;;;;;;;;;;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
= =$=(=,=0=4=
777777
84888<8@8:
;4;8;<<<<
8888:::::::::::
;;;;;;<<
= =$=(=8=<=@=<>@>D>>>>>>
?$?(?8?<?@?D?L?d?t?x????????????
0 0(0@0P0T0d0h0p0000000000000
1,10181P1`1d1t1x1|111111111111
2 282H2L2T2l2|2222222222222
3(3,3<3@3H3`3p3t333333333333
4 4(4@4P4T4d4h4p444444444444
5(5,5<5@5D5L5d5t5x5555555555555(6H6h66666666
7(747P7\7x777777
888T8X8x888888
989D9\9`9|999999
: :@:`:h:p:x::::::::::
; ;D;P;X;;;;;;;;;;;;;
<,<H<L<\<d<x<<<<<<<<<<<<<<
=L=P=p========
>P>l>p>>>>>>>>>>
?\?l?????????
0$0T0X0h00000000
1 1,141d1x11111111
2(202<2\2h2222222
383D3d3p3333333
4 4@4L4l4t4444444
545<5D5P5p5|555555
6 6,6d6x666
x00000
111111
@4D4\4`4555
:$:,:4:<:D:L:T:\:d:l:t:|:::::>?
(080H0X0h0000000000000
1$1,141<1D1L1T1\1d1l1t1|1111111111
2 2$2(2,2024282@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|22222222222222222222222222222
3 3$30333l7p777777
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|999999999999999999999999999999999
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:::::::::::::::::::::::::::::::::
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;t=x=|============================
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>>>>>
?$?D?d??????
0,0L0h0
Invalid partition tableMissing operating system
Master Boot Record Wrote by MBR By DiskGenius
strchr
RtlUnicodeStringToAnsiString
RtlInitUnicodeString
_strnset
memcpy
MmGetSystemRoutineAddress
MmIsAddressValid
RtlCompareString
RtlInitString
ZwClose
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
KeServiceDescriptorTable
KeAddSystemServiceTable
ExFreePoolWithTag
ZwQuerySystemInformation
ExAllocatePool
memset
KeDetachProcess
KeAttachProcess
PsLookupProcessByProcessId
strstr
_wcsnicmp
RtlEqualUnicodeString
KeSetEvent
KeWaitForSingleObject
ZwSetValueKey
ZwCreateKey
ZwQueryValueKey
ZwOpenKey
wcsstr
_wcslwr
_wcsnset
ZwReadFile
ZwQueryInformationFile
ZwCreateFile
RtlCompareMemory
ZwWriteFile
RtlFreeAnsiString
ObfDereferenceObject
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
RtlVolumeDeviceToDosName
ObReferenceObjectByPointer
ObReferenceObjectByHandle
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByName
IoDriverObjectType
IoFreeIrp
IoFreeMdl
MmUnlockPages
IofCallDriver
KeInitializeEvent
IoBuildAsynchronousFsdRequest
RtlFreeUnicodeString
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
ZwPulseEvent
ZwAllocateVirtualMemory
ObOpenObjectByPointer
ProbeForRead
IoGetCurrentProcess
_strupr
PsGetProcessImageFileName
_wcsupr
PsRemoveLoadImageNotifyRoutine
PsSetLoadImageNotifyRoutine
PsGetVersion
KeDelayExecutionThread
IofCompleteRequest
ExEventObjectType
MmMapIoSpace
MmGetPhysicalAddress
PsCreateSystemThread
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
DbgPrint
KeTickCount
KeBugCheckEx
ntoskrnl.exe
RtlUnwind
KeGetCurrentIrql
HAL.dll
0R0000
1'1B1I1x1111111@22222$3B3i3333333333
484D44444444444444
5*545=5L5V5_5n5x555555555555
686|666666A7M7777
8 868F8a88
9Z9|99999:
;=;g;;;;;;;
<*<5<@<L<R<W<<<<<===
>'>>>>
?(?d?p????
0'0=0C0r0y00000000
1 1'1\1c1111
2L2i2}22222
3.3E3\3334455555
7+7U77777
8!8E8n88888888,9;9J9d9q9999999
:*:;:E:j:t:::::::
;0;E;P;_;p;;;;;
< <H<`<<<<
=*=E=q====== >7>A>V>k>}>>>
?e?u?????
+03090000
1*1Z1d11
2.2j22222222+3M3z3333Y4i4v44
5u55555
6$686666
7889!:0:|::::::!;3;M;;;;;
<.<3<><D<I<Z<j<U==========
>!>0>>>F>S>b>p>x>>>>>>>>>>>
?*?8?@?M?\?j?{???????????
0 0%0-060>0E0R0_0n0t0|0000000000000
1$1-151<1I1V1e1k1v111111111
2%2=2I2O2_2m2222222
3!3)323<3B3w3~33333333333
484R4^4d4i4u444444444444
5'515;5E5O5Y5c5m5w55555555555555
6!6+656?6I6Y6c6m6w666666666666666
7$7+757<7C7J7e7l7s7z7777
9*9<9S9z99999+::::::2;8;C;\;t;;;;;;
<4<H<\<p<<<<<<<
=8=>=K=c={======
>#>;>O>c>w>>>>>>>>>>>
?'?@?F?T?}??????
0.0F0\0s0000000000
1$1)11171^1q1~11111111111!2'202<2B2H2O2U2e2j2o2u2
2222222222
3-373A3K3f333333333
4(4@4X4p444444
5,5@5T5h5|55555555
6+646C6J6R6Z6l6u6666
7A7F77777777777
8/848R8v8888888888888
9 9&91999?9E9P9V9\9e9k9
9999992:
;c;|;;;;;;
<)<5=c=l==
d3h333
4,404L4P4l4p444444444
5,505L5P5l5p5555555
2(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|666
0 0$0-040
lgdvqogbqidbtofytqliayqoigavlidy
e�\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�n�t�d�l�l�.�d�l�l�
\�?�?�\�C�:�\�w�i�n�d�o�w�s�\�
\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�D�r�i�v�e�r�s�\�N�t�H�o�o�k�.�s�y�s�
\�R�e�g�i�s�t�r�y�\�M�a�c�h�i�n�e�\�S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�s�e�r�v�i�c�e�s�\�N�t�H�o�o�k�
I�m�a�g�e�P�a�t�h�
�S�y�s�t�e�m�3�2�\�D�r�i�v�e�r�s�\�B�e�e�p�.�s�y�s�
\�R�e�g�i�s�t�r�y�\�M�a�c�h�i�n�e�\�S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�s�e�r�v�i�c�e�s�\�B�e�e�p�
S�y�s�t�e�m�3�2�\�D�r�i�v�e�r�s�\�N�t�H�o�o�k�.�s�y�s�
E�r�r�o�r�C�o�n�t�r�o�l�
D�i�s�p�l�a�y�N�a�m�e�
N�t�H�o�o�k�
P�s�S�e�t�C�r�e�a�t�e�P�r�o�c�e�s�s�N�o�t�i�f�y�R�o�u�t�i�n�e�
\�D�r�i�v�e�r�\�D�i�s�k�
S�T�A�R�T� �P�A�G�E�
s�t�a�r�t�p�a�g�e�x�x�x�
\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�d�r�i�v�e�r�s�\�N�t�H�o�o�k�.�s�y�s�
\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�d�r�i�v�e�r�s�\�b�e�e�p�.�s�y�s�
5�\�D�e�v�i�c�e�\�I�p�
E�\�C�O�R�A�L�.�E�X�E�
\�1�1�5�B�R�.�E�X�E�
\�T�T�R�A�V�E�L�E�R�.�E�X�E�
\�N�A�V�I�G�A�T�O�R�.�E�X�E�
\�S�A�F�A�R�I�.�E�X�E�
\�C�H�R�O�M�E�.�E�X�E�
\�O�P�E�R�A�.�E�X�E�
\�T�H�E�W�O�R�L�D�.�E�X�E�
\�M�A�X�T�H�O�N�.�E�X�E�
\�F�I�R�E�F�O�X�.�E�X�E�
\�G�R�E�E�N�B�R�O�W�S�E�R�.�E�X�E�
\�3�6�0�S�E�.�E�X�E�
\�S�O�G�O�U�E�X�P�L�O�R�E�R�.�E�X�E�
\�Q�Q�B�R�O�W�S�E�R�.�E�X�E�
\�I�E�X�P�L�O�R�E�.�E�X�E�
\�E�X�P�L�O�R�E�R�.�E�X�E�
\�S�E�R�V�I�C�E�S�.�E�X�E�
s�\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�s�a�f�e�m�o�n�.�d�l�l�
\�D�o�s�D�e�v�i�c�e�s�\�N�t�H�o�o�k�
\�D�e�v�i�c�e�\�d�e�v�N�t�H�o�o�k�
s�t�a�r�t�p�a�g�e�x�x�x�
\�R�e�g�i�s�t�r�y�\�M�a�c�h�i�n�e�\�S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�s�e�r�v�i�c�e�s�\�N�t�H�o�o�k�
$�&�\�?�?�\�P�h�y�s�i�c�a�l�D�r�i�v�e�0�
\�?�?�\�C�d�R�o�m�0�
\�D�r�i�v�e�r�\�D�i�s�k�
E�r�r�o�r�C�o�n�t�r�o�l�
D�i�s�p�l�a�y�N�a�m�e�
N�t�H�o�o�k�
I�m�a�g�e�P�a�t�h�
\�R�e�g�i�s�t�r�y�\�M�a�c�h�i�n�e�\�S�Y�S�T�E�M�\�C�u�r�r�e�n�t�C�o�n�t�r�o�l�S�e�t�\�s�e�r�v�i�c�e�s�\�N�t�H�o�o�k�
S�y�s�t�e�m�3�2�\�D�r�i�v�e�r�s�\�N�t�H�o�o�k�.�s�y�s�
\�?�?�\�C�:�\�W�i�n�d�o�w�s�\�S�y�s�t�e�m�3�2�\�D�r�i�v�e�r�s�\�N�t�H�o�o�k�.�s�y�s�
j�j�j�j�j�j�
j�j�j�j�j�j�$�
j�j�j�j�j�j�$�
j�j�j�j�j�j�
j�j�j�j�j�j�j�
(�n�u�l�l�)�
K�E�R�N�E�L�3�2�.�D�L�L�
m�s�c�o�r�e�e�.�d�l�l�
� � � � � � � � �(�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � �h�(�(�(�(� � � � � � � � � � � � � � � � � � �H�
� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �H�
k�s�a�f�e�t�r�a�y�.�e�
k�x�e�t�r�a�y�.�e�
3�6�0�T�R�A�Y�
s�a�f�e�m�o�n�.�d�
S�O�F�T�W�A�R�E�\�M�i�c�r�o�s�o�f�t�\�W�i�n�d�o�w�s�\�C�u�r�r�e�n�t�V�e�r�s�i�o�n�\�E�x�p�l�o�r�e�r�\�B�r�o�w�s�e�r� �H�e�l�p�e�r� �O�b�j�e�c�t�s�
C�L�S�I�D�\�
\�I�n�p�r�o�c�S�e�r�v�e�r�3�2�
\�S�E�R�V�I�C�E�S�.�E�X�E�
\�E�X�P�L�O�R�E�R�.�E�X�E�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�8�0�4�0�4�b�0�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
s�a�f�e�m�o�n�
F�i�l�e�V�e�r�s�i�o�n�
6�,� �1�,� �7�6�0�0�,� �1�6�3�8�5�
I�n�t�e�r�n�a�l�N�a�m�e�
s�a�f�e�m�o�n�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
C�o�p�y�r�i�g�h�t� �(�C�)� �2�0�0�9�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
s�a�f�e�m�o�n�.�d�l�l�
P�r�o�d�u�c�t�N�a�m�e�
s�a�f�e�m�o�n�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
6�,� �1�,� �7�6�0�0�,� �1�6�3�8�5�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
A�u�t�h�o�r�
I�m�S�u�p�e�r�M�a�n�
C�o�m�p�a�n�y�N�a�m�e�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
W�i�n�d�o�w�s� �P�l�a�y�e�r�
F�i�l�e�V�e�r�s�i�o�n�
1�.�0�.�0�.�1�0�6�
I�n�t�e�r�n�a�l�N�a�m�e�
N�t�H�o�o�k�.�s�y�s�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
N�t�H�o�o�k�
P�r�o�d�u�c�t�N�a�m�e�
M�i�c�r�o�s�o�f�t� �W�i�n�d�o�w�s� �O�p�e�r�a�t�i�n�g� �S�y�s�t�e�m�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
W�e�b�s�i�t�e�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
Process Tree
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
| 161.35.49.148 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com |
A 131.107.255.255
A 131.107.255.255 |
131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 161.35.49.148 | 443 | 192.168.56.101 | 49165 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 114.114.114.114 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
Sorry! No dropped files.
Sorry! No dropped buffers.