Sample details: 62c991ecd7a1c95a1dbfcf1e09e7280a --

Hashes
MD5: 62c991ecd7a1c95a1dbfcf1e09e7280a
SHA1: 36903717aafa393ca12aca6a57246a7dc1d03d09
SHA256: 561c25694083b96d3912b3096bc2e9f35ee84a1850ac2297ff6e2cac849dd670
SSDEEP: 6144:ieMwPApe4Ji354SzyB5FeHuQOS8rwnF6BW+UVlG1m6SY+m:BMWAk47SeHw8cF6BgVlKm6Im
Details
File Type: PE32+
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsWindowsGUI | YRP/HasRichSignature | YRP/domain | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/DebuggerCheck__QueryInfo | YRP/DebuggerException__ConsoleCtrl | YRP/DebuggerException__SetConsoleCtrl | YRP/anti_dbg | YRP/inject_thread | YRP/create_service | YRP/escalate_priv | YRP/screenshot | YRP/rat_rdp | YRP/rat_telnet | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API | FlorianRoth/PlugX_J16_Gen |
Strings
		!This program cannot be run in DOS mode.
dg Wdg Wdg W
[Wfg Wm
Wng Wm
WVg WC
[Wug Wdg!W
Weg Wz5
Weg Wm
Weg WRichdg W
`.rdata
@.data
.pdata
@.rsrc
@.reloc
VWATAUAVH
A^A]A\_^
|$ ATH
@UATAVH
 A^A\]
 A^A\]
|$ ATH
|$ ATH
SVWATH
XA\_^[
SVWATAUH
PA]A\_^[
D$ HcD$ H;
XLcL$ E3
LcD$Hf
D$HHcD$HH;
D$HLcL$HE3
D$HHcD$HH;
LcL$HE3
D$P9D$Hu	
D$H9D$P|
D$P9D$H}
HcD$ f
D$p9D$ sh
D$`9D$0
D$4HcL$4
D$`LcD$43
D$DHcL$D
D$pLcD$D3
HcD$ H
D$X9D$ |
HcD$ H
D$X9D$ |
teHcL$pH
HcL$pH
HcL$pH
H9D$8v
H;D$Hw
H;D$Hw
H9D$8u
H9D$`w
D$ H9D$h
H9D$`s
H9D$`s
H9D$ u
H;D$8s
H;D$Pv
D$@H;H
H;D$ s
H9D$ s
H;D$ s
H9D$ s
D$8H9A
@ H9D$8v
fffffff
H;X w"H
H;X w"H
D$8H9D$0t
D$8H9D$0t
D$8H9D$0t
D$xH9D$pt.L
D$8H9D$0t-H
D$0HcX
D$0HcX
LcD$@H
D$0HcX
D$8Lc@
D$0H9D$8u
D$0HcX
D$8Lc@
D$ 9D$P~
LcD$PHcL$XH
D$ LcD$H
D$,Hc\$,
D$@Lc@
|.HcT$PH
HcT$PH
(LcD$PHcL$(H
D$P9D$ ~
D+L$XD
D$HLcD$@
Hc\$@H
t$ WATAUAVAWH
 A_A^A]A\_
p WATAUH
 A]A\_
WATAUH
A;9~	I
 A]A\_
ATAUAVH
 A^A]A\
fffffff
fffffff
WATAUAVAWH
@A_A^A]A\_
l$ AVH
WATAUAVAWH
A_A^A]A\_
x ATAUAVH
< tG<	tC
 A^A]A\
Hct$@H
s\HcL$HH
` AUAVAWH
fD9|$b
A_A^A]
SVWATAUAVAWH
0A_A^A]A\_^[
WATAUAVAWH
 A_A^A]A\_
@SWATAUAVAWH
L!t$HL!t$@
D$PL9wXt(
D$8HcH
A_A^A]A\_[
ATAUAVH
0A^A]A\
VWATAUAVH
A^A]A\_^
UVWATAUAVAWH
pA_A^A]A\_^]
UVWATAUAVAWH
G0Hc	H
A_A^A]A\_^]
WATAVH
@A^A\_
UVWATAUAVAWH
D$DD9T$X
l$h+t$D+
9D$Ptu;
A_A^A]A\_^]
x ATAUAWH
D8l$Ht
D8l$Ht
D8l$Ht
A_A]A\
@SVWATH
` AUAVAWH
D8t$Ht
D8t$Ht
7D8t$H
gfffffffH
A_A^A]
@8|$Ht
@8t$Ht
@SVWATH
xA\_^[
@SUVWATH
A\_^][
LcA<E3
WATAUAVAWH
H!t$ E3
A_A^A]A\_
VWATAUAVH
@A^A]A\_^
UVWATAUH
D$&8\$&t-8X
@A]A\_^]
AUAVAWH
0A_A^A]
L$ UVWH
\$@A9k
@8l$Xt
@UATAUAVAWH
e A_A^A]A\]
L$ UATAUAVAWH
A_A^A]A\]
H!\$ E3
\$ UVWATAUAVAW
H!|$ E3
|$@9l$L
f;D$Dux
H!\$ H
HcD$HH;
H!\$ H
HcD$HH;
H!|$ L
A_A^A]A\_^]
WATAUAVAWH
0A_A^A]A\_
WATAUAVAWH
0A_A^A]A\_
x ATAUAVH
@8|$Ht
A^A]A\
SVWATAUAVAWH
@A_A^A]A\_^[
SVWATAUAVAWH
@A_A^A]A\_^[
UVWATAUAVAWH
`9\$8u
fD92r&H
\$PfD3
\$TfE#
\$XfA;
\$VfA;
A_A^A]A\_^]
UVWATAUAVAWH
l$XfD9u
d$`fA#
|$2fA;
d$ffA;
d$dfD3
d$hfE#
fD9l$0
L$x};A
A_A^A]A\_^]
fD9l$0
@USVWATAUAVAWH
eHA_A^A]A\_^[]
WATAUH
0A]A\_
L$@tfH
\$0A9k
@8l$Ht
@8l$Ht
E@H9E t
H(H9J(u
string too long
invalid string position
bad allocation
last error:%d line:%dGetLastError()=0x%x
last error:%d line:%dGetLastError()=0x%x
last error:%d line:%dGetLastError()=0x%x
last error:%d line:%dGetLastError()=0x%x
COMSPEC
 /c del 
 > nul
IsWow64Process
kernel32
Wow64DisableWow64FsRedirection
kernel32.dll
Wow64EnableWow64FsRedirection
kernel32.dll
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
AddAccessDeniedAce
AddAccessAllowedAce
vector<T> too long
bad allocation
bad allocation
IsWow64Process
Unknown exception
CorExitProcess
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
bad exception
(null)
`h````
xpxxxx
 Complete Object Locator'
 Class Hierarchy Descriptor'
 Base Class Array'
 Base Class Descriptor at (
 Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
 delete[]
 new[]
`local vftable constructor closure'
`local vftable'
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
 delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#SNAN
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
bad allocation
\hh.exe
Global\doorneedshut
CreateFileA
WaitForSingleObject
SetEvent
SetFileTime
GetWindowsDirectoryA
GetCommandLineA
WideCharToMultiByte
LoadLibraryW
CopyFileW
CreateEventA
GetModuleFileNameW
lstrcatA
GetLastError
OpenEventA
GetFileTime
CloseHandle
lstrcpyA
KERNEL32.dll
CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceA
ADVAPI32.dll
GetAdaptersInfo
IPHLPAPI.DLL
NtQueryInformationProcess
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
RtlVirtualUnwind
RtlCaptureContext
ntdll.dll
EnumProcesses
GetModuleFileNameExW
PSAPI.DLL
CreateEnvironmentBlock
USERENV.dll
LocalFree
LocalAlloc
GetProcAddress
GetVersionExW
FreeLibrary
GetTickCount
ExpandEnvironmentStringsW
CreateDirectoryW
WriteFile
CreateFileW
SetFilePointer
LockResource
LoadResource
SizeofResource
FindResourceW
ReadFile
GetFileSize
HeapAlloc
GetProcessHeap
HeapFree
lstrcpyW
CreateProcessW
MultiByteToWideChar
GetCurrentProcess
lstrcmpiW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
OpenProcess
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
GetModuleHandleA
LoadLibraryA
TerminateProcess
lstrlenA
lstrlenW
ReadProcessMemory
VirtualQueryEx
GetModuleHandleW
VirtualProtectEx
WriteProcessMemory
VirtualAllocEx
GetStartupInfoA
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
EncodePointer
DecodePointer
FlsGetValue
FlsSetValue
FlsFree
SetLastError
GetCurrentThreadId
FlsAlloc
HeapSetInformation
HeapCreate
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
HeapSize
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetConsoleCP
GetConsoleMode
FlushFileBuffers
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetStdHandle
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
GetTokenInformation
FreeSid
EqualSid
AllocateAndInitializeSid
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
CreateProcessAsUserW
ShellExecuteExW
SHELL32.dll
PathFileExistsW
SHLWAPI.dll
WS2_32.dll
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVCCHK@@
.?AVtype_info@@
.?AVbad_exception@std@@
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVexception@std@@
.?AVbad_alloc@std@@
!This program cannot be run in DOS mode.
W*+nWP
W*+hWO
W*+}Ws
W*+iW]
W*+oW]
W*+kW]
WRich\
`.data
.pdata
@.rsrc
@.reloc
u("60[Jw{XMl?sc^8G|}z@:A*ENDydgmet!9#< ICiL;1W/U>&YbaTSZ-%x5\v=4'k_r,2O+qfB37VR`])KQ.oPhnj$H~Fp
DISPLAY
%s%d.%d SEQ:%s
The version of personal hacker's door server is 
Classes
.DEFAULT
TR3R`hu2KK`KuO`oR,(
/`u1`rk7uTQ2Ku1`+`R(
Users logged on locally:
The Domain:
System Dir:
Computer Name:
Unknow
Windows 2000/xp/2003 Server
 Windows 2000/xp/2003 domain controller 
Product type:%s
Windows 2000/xp/2003 Professional
Service Pack:%d.%d
System Version:Windows nt %d.%d build:%d
Intel  Pentium III or high
Type of CPU:%s
Intel Pentium or Intel Pentium low
Number of CPU:%d
aq2u]kKkV2.2KufQufRPk7f,(
aq2u]K`r2QQuqkQu_22Ru3f772,(
9kRw.u`]2Ru]K`r2QQ(
9kRw.uQ2.u]K`r2QQu>KfPf72+2(
SeDebugPrivilege
9kRw.u`]2Ru]K`r2QQu.`32R(
9kRw.u+2.u]K`r2QQuf,(
bqo.,`hRuQjQ.2VuQorr2QQOo77j(
Y2_``.uQjQ.2VuQorr2QQOo77j(
SeShutdownPrivilege
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888(
9kRw.uQ2.uab<Rk_72(
9kRw.uQ2.uK2+fQ.2KuPk7o2(
9`VVkR,u2n2ro.2uQorr2QQOo77j(
shutdown
aq2uQjQ.2Vuhf77uK2_``.uR`h(
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Hotkey
.DEFAULT\Keyboard Layout\Toggle
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\CurrentControlSet\Services\TermDD
TSEnabled
SYSTEM\CurrentControlSet\Control\Terminal Server
EnableAdminTSRemote
SOFTWARE\Policies\Microsoft\Windows\Installer
Enabled
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
aq2u]`K.ufQufRPk7f,(
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888uQ2KP2K(
9kRw.u`]2RuQ2KPfr2(
9kRw.uQ.kK.u.27R2.uQ2KPfr2(
aq2u.27R2.uQ2KPfr2ufQuQ.kK.2,uQorr2QQOo77j(
TlntSvr
9kRw.u`]2Rub2KPfr2ur`R.K`7uVkRk+2K(
TelnetPort
9kRw.u`]2RuY2+fQ.2K(
SOFTWARE\Microsoft\TelnetServer\1.0
9kRw.u`]2RurV,uQq277(
aq2ur`VVkR,uQq277ufQuk7K2k,ju`]2R(
<nf.uborr2QQOo77j
9`VVkR,u2n2ro.2uOkf72,(
 done, ret = %d
9kRw.u`]2RuOf72(
Default
WinSta0
brK22Rur`]juQorr2QQOo77j(
9kRw.uhKf.2u_V]uOf72(
9kRw.u+2.uQrK22Ru,k.k(
screen.bmp
b2.ur`RR2r.u_kr3ufR.2KPk7uQorr2QQOo77j(
9kRw.uQ2.ur`RR2r.u_kr3ufR.2KPk7(
The connect back interval is %d (minutes)
9qkR+2u,fKuOkf72,(
9qkR+2u,fKuQorr2QQOo77j(
9`R.K`7g
aq2uW2QQk+2ufQu.`u7`R+u.`uQ2R,(
	Z27r`V2u_kr3?WkQ.2K(RuTQ2uwmwu.`u+2.uC27]
9kRw.u2nf.ur`VVkR,uQq277(
aq2ur`VVkR,ufQuR`.uO`oR,(
aq2ur`VVkR,uQjR.knufQuR`.ur`KK2r.(
aq2ur`VVkR,ufQu.``u7`R+u.`uK2rPur`V]72.27j(
Y2rPu#k.ku2KK`K(
aq2uQ2QQf`RufQu.fV2u`o.u_2rkoQ2u.q2uoQ2KufQuR`ukr.f`RufRukuO2huVfRo.2Q(
99V,>K`r!kQ2NNWkfR1``]N
b2R,u#k.ku2KK`K(
9kRw.uOfR,ukRjuq27]ufRO`Vk.f`R(
ssssssssssssssssssssssssssss
uuuuuuuuuuuMMMMMMMM9`VVkR,Qu1fQ.MMMMMMMM
9kRw.u7fQ.u]K`r2QQ(
%-20d%s
>K`r2QQi#uuuuuuuuu>K`r2QQ/kV2
aq2u2KK`KufRO`ufQuR`.uQq`hufRu.qfQuP2KQf`R(
9kRw.uo],k.2uqkr32KwQu,``K(
Ckr32KwQu,``KufQuo]k.2,uQorr2QQOo77j(
#`hR7`k,u.q2uOf72uQorr2QQOo77j(
9kRw.u,`hR7`k,u.q2uOf72
9K2k.2u,`hR7`k,u.qK2k,uQorr2QQOo77j(
9kRw.urK2k.2u,`hR7`k,u.qK2k,
ossystem.sys
I2.uOf72uOkf72,(
Y2k,uOf72u2KK`K(
I2.uOf72uQorr2QQOo77j(
 f72u.`u7`R+(
>o.uOf72uQorr2QQOo77j(
>o.uOf72uOkf72,(
ZKf.2uOf72u2KK`K(
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
]o.Of72
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
+2.Of72
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
7fQ.uk77uOf72QukR,u,fKQ
+2.,fK
+2.uk77u,fQ3
+2.,fQ3
Q2.fR.2KPk7
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
r`]jQrK22R
+2.oK7
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
`]2RQq277
hfR2n2r
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
2nf.Qq277
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
Qqo.,`hR
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
+2.QjQfRO`
]Q3f77
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]Q7fQ.
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
`]2R.27R2.
`]2R}}*E
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
OfR,]kQQ
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
9`VV`RNt,,#2_o+>KfPf72+2N
SeLoadDriverPrivilege
9`VV`RNt,,1`k,#KfP2K>KfPf72+2N
I7`_k7\bjQ.2VafV2|
I7`_k7\bjQ.2VafV28
I7`_k7\bjQ.2VafV2}
q3,``K]kQQ
0000000000000
I'mhackeryythac1977
kernel32.dll
9 fR,>kQQNNiRf.N
9kRw.u+2.uOoRr.f`Ruk,,K2QQ(
RtlRunDecodeUnicodeString
RtlDestroyQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlCreateQueryDebugBuffer
NtQuerySystemInformation
NTDLL.DLL
Domain:%S,User:%S,Password:%s
/`u1`+`RufRO`KVk.f`RuO`oR,(
The session:%d login information is:
winlogon.exe
rdpclip.exe
explorer.exe
found service_record table! version <= 6.1
found service_record table 6.2 or 6.3!
Version: major:%d, minor:%d
SvcHostDLL: RegisterServiceCtrlHandler %S failed
Product type:
Windows 2000/xp/2003/2008 Server
 Windows 2000/xp/2003/2008 domain controller 
Windows 2000/xp/2003/2008 Professional
hkdoorevt
<KK`KurK2k.2urV,u]K`r2QQ`K(
I7`_k7\bjQ.2VafV2G
Global\%s
9kRw.uQ.kK.uq3,``K?Vkj_2uf.uk7K2k,juKoR(
Y2rPu2nf.u2P2R.?.q2u_kr3,``Ku2nf.2,(
closehandle error:%d
closehandle
Terminate thread:%d
TRfRQ.k77uQ.2]u}
TRfRQ.k77uQ.2]u|
9kRw.uoRfRQ.k77?9K2k.2Wo.2nu ti1<#(
TRfRQ.k77uQ.2]uG
2KK`KuZkf. `KbfR+72U_B2r.(
b.kK.uqkr32KwQu,``KuQorr2QQOo77j(
2KK`KuQ2.u7`+fRu2P2R.(
2KK`KurK2k.2u7`+fRu2P2R.(
2KK`KuQ2.u7`+fRu]kQQh`K,(
error set login password
2KK`Ku+2.u7`+fRu]kQQh`K,(
9kRw.uqf,2u,KfP2K(
9kRw.u7`k,u,KfP2K(
dwResult:%d
\drivers\ntfs.sys
9kRw.u2nkr.u,KfP2KuOf72(
drivers
%s:%s,%s:%s,IsInstall:%d
OS system info
TR7`k,#KfP2KuQorr2QQOo77j(
9kRw.uQ.kK.uR2.uh`K3u,KfP2K(
dwResult=%d
IPFILTERDRIVER
!2+fRu.`uQ.kK.uqkr32KwQu,``Kcccc
9kRw.uQ.kK.uKoRRfR+(
Entering DLL_PROCESS_ATTACH
rundll32.exe
ZfRb`r3u#11uP2KQf`RufQu2KK`Ku
9i]>kr32.!kQ2NNiRf.fk7f$2b`r32.QN
Zbtb.kK.o]u2KK`K
Q2.Q`r3`].uOoRr.f`Ru2KK`Ku
9i]>kr32.!kQ2NN9K2k.2N
Q`r32.uOoRr.f`Ru2KK`Ku
Q2R,.`uOoRr.f`Ru2KK`K
9kRw.uVk77`ruR2h!oOu
9i]>kr32.!kQ2NNb2R,>kr32.N
9`RQ.Kor.i>C2k,2KuOoRr.f`Ru2KK`K
9`o7,Rw.uk77`ruV2V`Kjc
9`o7,uR`.u7`r3u]kQQh`K,c
9`o7,uR`.u7`k,u]kQQh`K,c
aq2u]kQQh`K,uQf$2ufQu$2K`c
9Y2QWkRk+2KNNI2.Y2Q#k.kN
9`o7,uR`.u7`rk.2u]kQQh`K,c
9Y2QWkRk+2KNNI2.b.KfR+!jiR,2nN
9kRw.uOfR,uK2Q`oKr2c
%s%s%s
%s%s%s ErrorCode:%d
too many contents! just show a part.
%d/%d/%d %d:%d:%d %s
Can't open  log file:%s 
system.txt
error=%d
ComSpec
Winlogon
Sell_DESKTOP
9ar]>kr32.NNb2R,>kr32.N
9`RQ.Kor.ar]C2k,2KuOoRr.f`Ru2KK`K
9kRw.uQ2.uQ2QQf`Ru2P2R.
9kRw.urK2k.2uq>kr32.<P2R.
9kRw.u+2.u.q2uroKK2R.u7`+fRuQ2QQf`RufRO`
9ar]b2QQf`RNN9K2k.2N
] f7.2K#KfP2KufQufRPk7f,
I<a4>t9;<au2KK`K
9ar]b2QQf`RNNY2rP>kr32.N
>kKkVu2KK`K
b2R,u,k.ku.fV2u`o.?Vkj_2u.q2uQ2KP2KufQu,`hR
Y2rP>kr32.u2KK`K
9ar]b2QQf`RNNb2R,#k.kN
b2R,>kr32.u2KK`K
fail start server.driver name=%s
open driverdosname=%s driverhandle=%d
\\.\Global\
system32\Drivers\
%s%s.sys
\system32\Drivers\
%s\%s.sys
preapre to load driver!!! retCode=%d
<4,$?7/'
(3-!0,1'8"5.*2$
`h````
ppxxxx
(null)
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
CorExitProcess
mscoree.dll
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
runtime error 
TLOSS error
SING error
DOMAIN error
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
Unknown exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
InitializeCriticalSectionAndSpinCount
SetThreadStackGuarantee
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
D$@usH
D$`uQH
\$@D;\$Hu
D$Pt*3
t$ @81
ti<"uOH
unknown
D9d$@u
t$`fff
f9D$6uhL
t&9{,t!9{$t
{(9{ t=
t+D9q,t%D9q$t
s(D9s tB
|$xIcx
t$@Hcr
t)IcL$
d$@Lca
L$0H)D$0
t$0u$A
L$HtFH
L$Ht=H
\$8fff
t$xA9?
D$pL9gXt%
D$`HcH
H(H9J(u
E(L9`0u
T$0LcC
tfHcD$0H
|$Ft8fff
@8|$&H
t%9t$Pu
x"H9pxu#
Lc\$PHcL$0J
K H;H t
K(H;H(t
K0H;H0t
K8H;H8t
K@H;H@t
KHH;HHt
d$PH95
L$(fff
E>8]>t$
E>8]>t%
x]L9#tXH
GlobalFree
GlobalAlloc
WaitForSingleObject
WideCharToMultiByte
__C_specific_handler
GetProcAddress
GetModuleHandleA
GetVersionExA
GetSystemDirectoryA
GetComputerNameA
GetSystemInfo
TerminateProcess
OpenProcess
CloseHandle
GetCurrentProcess
WinExec
MoveFileExA
DeleteFileA
CopyFileA
GetModuleFileNameA
WriteFile
CreateFileA
GlobalSize
GetCurrentThreadId
GetDriveTypeA
SetCurrentDirectoryA
GetCurrentDirectoryA
CreateThread
FindClose
FindNextFileA
FindFirstFileA
GetFileAttributesExA
GetLastError
MultiByteToWideChar
OpenMutexA
ReadProcessMemory
LoadLibraryA
WriteProcessMemory
HeapFree
HeapAlloc
GetProcessHeap
VirtualQueryEx
lstrcmpiW
lstrlenW
ExpandEnvironmentStringsW
GetWindowsDirectoryW
GetVersionExW
DefineDosDeviceW
GetPrivateProfileSectionW
GetTickCount
GetComputerNameW
GetThreadPriority
CreateMutexA
GetWindowsDirectoryA
ExitProcess
OpenEventA
TerminateThread
CreateEventA
GetSystemDefaultLCID
GetCurrentProcessId
SetLastError
DeviceIoControl
IsBadReadPtr
Module32First
CreateToolhelp32Snapshot
Process32Next
ProcessIdToSessionId
Process32First
FreeResource
LockResource
LoadResource
SizeofResource
FindResourceA
FreeConsole
GetExitCodeProcess
GetConsoleTitleA
CreateProcessA
GetEnvironmentVariableA
CreatePipe
ReadFile
PeekNamedPipe
SetConsoleCursorPosition
WriteConsoleOutputA
SetConsoleCtrlHandler
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
AllocConsole
GetConsoleScreenBufferInfo
ReadConsoleOutputA
WriteConsoleInputA
GenerateConsoleCtrlEvent
GetFileAttributesA
KERNEL32.dll
ReleaseDC
ExitWindowsEx
CloseDesktop
SetThreadDesktop
CloseWindowStation
OpenDesktopA
SetProcessWindowStation
OpenWindowStationA
GetThreadDesktop
GetProcessWindowStation
GetUserObjectInformationA
CreateDesktopA
CreateWindowStationA
USER32.dll
GetDIBits
RealizePalette
SelectPalette
GetStockObject
DeleteDC
DeleteObject
GetObjectA
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
EnumFontFamiliesW
GDI32.dll
RegCloseKey
LookupAccountSidA
ConvertStringSidToSidA
RegEnumKeyA
OpenProcessToken
RegSetValueExA
RegCreateKeyA
StartServiceA
ChangeServiceConfigA
CloseServiceHandle
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
LookupAccountSidW
GetTokenInformation
LookupPrivilegeValueW
SetServiceStatus
RegisterServiceCtrlHandlerA
CreateServiceA
DeleteService
ADVAPI32.dll
WS2_32.dll
GetModuleFileNameExA
EnumProcessModules
EnumProcesses
GetModuleFileNameExW
PSAPI.DLL
imagehlp.dll
VERSION.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx
MoveFileA
ExitThread
ResumeThread
RaiseException
RtlPcToFileHeader
HeapReAlloc
GetCommandLineA
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
EnterCriticalSection
LeaveCriticalSection
HeapSetInformation
HeapCreate
HeapDestroy
DeleteCriticalSection
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
LCMapStringW
FlushFileBuffers
GetTimeZoneInformation
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
IsBadWritePtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
InitializeCriticalSection
VirtualProtect
VirtualAlloc
VirtualQuery
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
intelunt.dll
ServiceMain
LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW
OfR,]kQQ
`]2R}}*E
`]2R.27R2.
]Q7fQ.
]Q3f77
+2.QjQfRO`
Qqo.,`hR
2nf.Qq277
hfR2n2r
`]2RQq277
+2.oK7
r`]jQrK22R
Q2.fR.2KPk7
+2.,fQ3
+2.,fK
+2.Of72
]o.Of72
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
+2.uk77u,fQ3
7fQ.uk77uOf72QukR,u,fKQ
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
.?AVCRTException@@
/91UIi/
9W#1UIi/
IYt>CSi<Z1UIi/
IYt>C9aY1UIi/
 i1<aYt/b1UIi/
.?AVbad_exception@std@@
.?AVexception@@
0RPaq;
<?;EX)
bJMt[c
#1]5nl%
a>="5ML
75*K	T
9>8??h
~We$E;t
B@27z"
k:DO_gQk
$t'8Vo
p>%	^w
%yS?Gd=
~B71^kB
x@m&"R
Xod@*@
/bQOum.
q1o^bSX
dT6'bG]M[
w)%_2r
 Sd96f
~r^5OX)
OU@FJ}
ttOt4W8
:iG0d5
2Nr|-@
Y<t}UR
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD