Sample details: 9b300d911603fe1dd01d4af86ad1ad4c --

Hashes
MD5: 9b300d911603fe1dd01d4af86ad1ad4c
SHA1: 2d3f1285c3b59a0ef87026ad3ae5a3af8c292150
SHA256: a549d66df72ddfb85fd676abea3c136e621a239c301dada7817e7d269e99a8fb
SSDEEP: 12288:EfRYxE/CIk8cF6BgVlKm6ImUrvNZK2FMa73:EJKE/s8MSw4m6qLNhFMa
Details
File Type: PE32+
Yara Hits
YRP/Microsoft_Visual_Cpp_80_DLL | YRP/IsPE64 | YRP/IsConsole | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/System_Tools | YRP/Dropper_Strings | YRP/Misc_Suspicious_Strings | YRP/DebuggerException__ConsoleCtrl | YRP/DebuggerException__SetConsoleCtrl | YRP/anti_dbg | YRP/inject_thread | YRP/create_service | YRP/network_tcp_socket | YRP/escalate_priv | YRP/screenshot | YRP/rat_rdp | YRP/rat_telnet | YRP/win_mutex | YRP/win_registry | YRP/win_token | YRP/win_files_operation | YRP/Big_Numbers1 | YRP/Str_Win32_Winsock2_Library | YRP/Str_Win32_Wininet_Library | YRP/Str_Win32_Internet_API |
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
\$ UVW
tcH9|$(ubL
fA;^XH
fA+^XfA;^Z@
t$pfA+^Z
@SVWAVAWH
H;D$Hw1
A_A^_^[
L$0uvH
@UVATAWH
A_A\^]
@USVAVAWH
A_A^^[]
\$ UVWATAUAVAWH
A_A^A]A\_^]
@UVWAVH
.detour
|$ UAVAWH
SVWAVH
8A^_^[
SVWAVAWH
0A_A^_^[
WAVAWH
 A_A^_
WAVAWH
 A_A^_
x ATAVAWH
 A_A^A\
UVWAVAWH
PA_A^_^]
UWATAUAVH
fB9<@u
fB9<@u
A^A]A\_]
;t$@u-
UWATAUAVH
A^A]A\_]
@USVWATAUAVAWH
A_A^A]A\_^[]
t-f9t$0u
fB94@u
WAVAWH
 A_A^_
WAVAWH
Bf9:u+M
UVWAVAWH
@A_A^_^]
UVWAVAWH
PA_A^_^]
ATAVAWH
 A_A^A\
VWATAVAWH
 A_A^A\_^
x ATAVAWH
 A_A^A\
fffffff
WATAUAVAWH
@A_A^A]A\_
` AUAVAWH
t$8Hc0I
\$0D9=
A_A^A]
Hct$@H
sYHcL$HH
x ATAVAWH
< tD<	t@
 A_A^A\
t$ WAVAWH
H3E H3E
WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
UVWATAUAVAWH
G0Hc	H
A_A^A]A\_^]
D8eoupH
UVWATAUAVAWH
pA_A^A]A\_^]
WATAUAVAWH
 A_A^A]A\_
AUAVAWH
0A_A^A]
@SVWATAUAVAWH
L!|$@L!
D$HHcH
A_A^A]A\_^[
SVWATAUAVAWH
0A_A^A]A\_^[
WATAVH
@A^A\_
WATAUAVAWH
gfffffffH
D8L$Ht
A_A^A]A\_
x AUAVAWH
A_A^A]
@SUVWH
@SUVWH
@SUVWAVH
A^_^][
UVWATAUAVAWH
D$DD9T$X
|$h+t$D+
A_A^A]A\_^]
WAVAWH
 A_A^_
LcA<E3
t$ WATAUAVAWH
D!l$h3
0A_A^A]A\_
l$ VWATAVAWH
T$&@8t$&t9@8r
A81t@@8r
A_A^A\_^
@SUVWATAVAWH
PA_A^A\_^][
@USVWH
AUAVAWH
0A_A^A]
@UATAUAVAWH
!t$(H!t$ I
A_A^A]A\]
@UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
A_A^A]A\]
|$ UATAUAVAWH
A_A^A]A\]
UVWATAUAVAWH
A_A^A]A\_^]
UVWATAUAVAWH
A_A^A]A\_^]
VWATAVAWH
 A_A^A\_^
\$ UVWATAUAVAWH
D9l$dtXH
HcD$PH;
HcD$PH;
A_A^A]A\_^]
VWATAVAWH
 A_A^A\_^
WATAVH
D82u&H
D8t$Ht
H(H9J(u
generic
unknown error
iostream
iostream stream error
system
string too long
invalid string position
\hh.exe
assert fail quit:sc[0]
InstallService
InjectDllx64.cpp
c:\log.txt
assert fail quit:sc[2]
boot the service
Global\doorneedshut
assert failed code=%d
real_cmd_line=%s
curExepath=%s realpath=%s
srvcmdline path=%s
LocalTime=%d%d%d_%d%d%d,Week=%d
Time:%s
Page:%s
Func:%s()
Line:%d
Error:%d ->%sWSAError:%d
cmdline:%s
Info:%s
/c ping 0.0.0.0 & del /q %s
cmd.exe
Wow64DisableWow64FsRedirection
kernel32.dll
bad allocation
permission denied
file exists
no such device
filename too long
device or resource busy
io error
directory not empty
invalid argument
no space on device
no such file or directory
function not supported
no lock available
not enough memory
resource unavailable try again
cross device link
operation canceled
too many files open
permission_denied
address_in_use
address_not_available
address_family_not_supported
connection_already_in_progress
bad_file_descriptor
connection_aborted
connection_refused
connection_reset
destination_address_required
bad_address
host_unreachable
operation_in_progress
interrupted
invalid_argument
already_connected
too_many_files_open
message_size
filename_too_long
network_down
network_reset
network_unreachable
no_buffer_space
no_protocol_option
not_connected
not_a_socket
operation_not_supported
protocol_not_supported
wrong_protocol_type
timed_out
operation_would_block
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
destination address required
executable format error
file too large
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
invalid seek
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no message available
no message
no protocol option
no stream resources
no such device or address
no such process
not a directory
not a socket
not a stream
not connected
not supported
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
protocol error
protocol not supported
read only file system
resource deadlock would occur
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many links
too many symbolic link levels
value too large
wrong protocol type
_hypot
CorExitProcess
Unknown exception
bad exception
(null)
`h````
xpxxxx
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CreateEventExW
CreateSemaphoreExW
SetThreadStackGuarantee
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
GetLogicalProcessorInformation
CreateSymbolicLinkW
SetDefaultDllDirectories
EnumSystemLocalesEx
CompareStringEx
GetDateFormatEx
GetLocaleInfoEx
GetTimeFormatEx
GetUserDefaultLocaleName
IsValidLocaleName
LCMapStringEx
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleExW
SetFileInformationByHandleW
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
MessageBoxW
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationW
GetProcessWindowStation
_nextafter
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`h`hhh
xppwpp
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
1#SNAN
1#QNAN
ResumeThread
CreateProcessW
VirtualAllocEx
VirtualProtectEx
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
IsWow64Process
GetCommandLineA
CreateFileA
GetFileTime
SetFileTime
CloseHandle
GetLastError
SetErrorMode
SetEvent
OpenEventA
GetWindowsDirectoryA
GetModuleFileNameW
lstrcpyA
lstrcatA
CopyFileW
WideCharToMultiByte
ExpandEnvironmentStringsW
CreateDirectoryW
CreateFileW
SetFilePointer
WriteFile
HeapAlloc
HeapFree
GetProcessHeap
WaitForSingleObject
GetCurrentProcess
ExitProcess
TerminateProcess
GetCurrentThread
SetThreadPriority
SetPriorityClass
GetLocalTime
GetTickCount
GetProcAddress
LoadResource
LockResource
SizeofResource
LocalFree
FormatMessageA
lstrcmpiA
lstrlenA
LoadLibraryA
FindResourceW
MultiByteToWideChar
KERNEL32.dll
wvsprintfA
wsprintfA
USER32.dll
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
RtlCaptureContext
RtlVirtualUnwind
ntdll.dll
EncodePointer
DecodePointer
RaiseException
GetModuleHandleExW
SetLastError
GetCurrentThreadId
GetStdHandle
GetFileType
DeleteCriticalSection
GetStartupInfoW
GetModuleFileNameA
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
IsProcessorFeaturePresent
HeapSize
IsDebuggerPresent
EnterCriticalSection
LeaveCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
LoadLibraryExW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
OutputDebugStringW
LCMapStringW
HeapReAlloc
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
SetFilePointerEx
SetStdHandle
WriteConsoleW
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVerror_category@std@@
.?AV_Generic_error_category@std@@
.?AV_Iostream_error_category@std@@
.?AV_System_error_category@std@@
.?AVCCHK@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVbad_exception@std@@
!This program cannot be run in DOS mode.
W*+nWP
W*+hWO
W*+}Ws
W*+iW]
W*+oW]
W*+kW]
WRich\
`.data
.pdata
@.rsrc
@.reloc
u("60[Jw{XMl?sc^8G|}z@:A*ENDydgmet!9#< ICiL;1W/U>&YbaTSZ-%x5\v=4'k_r,2O+qfB37VR`])KQ.oPhnj$H~Fp
DISPLAY
%s%d.%d SEQ:%s
The version of personal hacker's door server is 
Classes
.DEFAULT
TR3R`hu2KK`KuO`oR,(
/`u1`rk7uTQ2Ku1`+`R(
Users logged on locally:
The Domain:
System Dir:
Computer Name:
Unknow
Windows 2000/xp/2003 Server
 Windows 2000/xp/2003 domain controller 
Product type:%s
Windows 2000/xp/2003 Professional
Service Pack:%d.%d
System Version:Windows nt %d.%d build:%d
Intel  Pentium III or high
Type of CPU:%s
Intel Pentium or Intel Pentium low
Number of CPU:%d
aq2u]kKkV2.2KufQufRPk7f,(
aq2u]K`r2QQuqkQu_22Ru3f772,(
9kRw.u`]2Ru]K`r2QQ(
9kRw.uQ2.u]K`r2QQu>KfPf72+2(
SeDebugPrivilege
9kRw.u`]2Ru]K`r2QQu.`32R(
9kRw.u+2.u]K`r2QQuf,(
bqo.,`hRuQjQ.2VuQorr2QQOo77j(
Y2_``.uQjQ.2VuQorr2QQOo77j(
SeShutdownPrivilege
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888(
9kRw.uQ2.uab<Rk_72(
9kRw.uQ2.uK2+fQ.2KuPk7o2(
9`VVkR,u2n2ro.2uQorr2QQOo77j(
shutdown
aq2uQjQ.2Vuhf77uK2_``.uR`h(
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Hotkey
.DEFAULT\Keyboard Layout\Toggle
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\CurrentControlSet\Services\TermDD
TSEnabled
SYSTEM\CurrentControlSet\Control\Terminal Server
EnableAdminTSRemote
SOFTWARE\Policies\Microsoft\Windows\Installer
Enabled
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
aq2u]`K.ufQufRPk7f,(
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888uQ2KP2K(
9kRw.u`]2RuQ2KPfr2(
9kRw.uQ.kK.u.27R2.uQ2KPfr2(
aq2u.27R2.uQ2KPfr2ufQuQ.kK.2,uQorr2QQOo77j(
TlntSvr
9kRw.u`]2Rub2KPfr2ur`R.K`7uVkRk+2K(
TelnetPort
9kRw.u`]2RuY2+fQ.2K(
SOFTWARE\Microsoft\TelnetServer\1.0
9kRw.u`]2RurV,uQq277(
aq2ur`VVkR,uQq277ufQuk7K2k,ju`]2R(
<nf.uborr2QQOo77j
9`VVkR,u2n2ro.2uOkf72,(
 done, ret = %d
9kRw.u`]2RuOf72(
Default
WinSta0
brK22Rur`]juQorr2QQOo77j(
9kRw.uhKf.2u_V]uOf72(
9kRw.u+2.uQrK22Ru,k.k(
screen.bmp
b2.ur`RR2r.u_kr3ufR.2KPk7uQorr2QQOo77j(
9kRw.uQ2.ur`RR2r.u_kr3ufR.2KPk7(
The connect back interval is %d (minutes)
9qkR+2u,fKuOkf72,(
9qkR+2u,fKuQorr2QQOo77j(
9`R.K`7g
aq2uW2QQk+2ufQu.`u7`R+u.`uQ2R,(
	Z27r`V2u_kr3?WkQ.2K(RuTQ2uwmwu.`u+2.uC27]
9kRw.u2nf.ur`VVkR,uQq277(
aq2ur`VVkR,ufQuR`.uO`oR,(
aq2ur`VVkR,uQjR.knufQuR`.ur`KK2r.(
aq2ur`VVkR,ufQu.``u7`R+u.`uK2rPur`V]72.27j(
Y2rPu#k.ku2KK`K(
aq2uQ2QQf`RufQu.fV2u`o.u_2rkoQ2u.q2uoQ2KufQuR`ukr.f`RufRukuO2huVfRo.2Q(
99V,>K`r!kQ2NNWkfR1``]N
b2R,u#k.ku2KK`K(
9kRw.uOfR,ukRjuq27]ufRO`Vk.f`R(
ssssssssssssssssssssssssssss
uuuuuuuuuuuMMMMMMMM9`VVkR,Qu1fQ.MMMMMMMM
9kRw.u7fQ.u]K`r2QQ(
%-20d%s
>K`r2QQi#uuuuuuuuu>K`r2QQ/kV2
aq2u2KK`KufRO`ufQuR`.uQq`hufRu.qfQuP2KQf`R(
9kRw.uo],k.2uqkr32KwQu,``K(
Ckr32KwQu,``KufQuo]k.2,uQorr2QQOo77j(
#`hR7`k,u.q2uOf72uQorr2QQOo77j(
9kRw.u,`hR7`k,u.q2uOf72
9K2k.2u,`hR7`k,u.qK2k,uQorr2QQOo77j(
9kRw.urK2k.2u,`hR7`k,u.qK2k,
ossystem.sys
I2.uOf72uOkf72,(
Y2k,uOf72u2KK`K(
I2.uOf72uQorr2QQOo77j(
 f72u.`u7`R+(
>o.uOf72uQorr2QQOo77j(
>o.uOf72uOkf72,(
ZKf.2uOf72u2KK`K(
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
]o.Of72
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
+2.Of72
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
7fQ.uk77uOf72QukR,u,fKQ
+2.,fK
+2.uk77u,fQ3
+2.,fQ3
Q2.fR.2KPk7
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
r`]jQrK22R
+2.oK7
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
`]2RQq277
hfR2n2r
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
2nf.Qq277
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
Qqo.,`hR
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
+2.QjQfRO`
]Q3f77
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]Q7fQ.
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
`]2R.27R2.
`]2R}}*E
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
OfR,]kQQ
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
9`VV`RNt,,#2_o+>KfPf72+2N
SeLoadDriverPrivilege
9`VV`RNt,,1`k,#KfP2K>KfPf72+2N
I7`_k7\bjQ.2VafV2|
I7`_k7\bjQ.2VafV28
I7`_k7\bjQ.2VafV2}
q3,``K]kQQ
0000000000000
I'mhackeryythac1977
kernel32.dll
9 fR,>kQQNNiRf.N
9kRw.u+2.uOoRr.f`Ruk,,K2QQ(
RtlRunDecodeUnicodeString
RtlDestroyQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlCreateQueryDebugBuffer
NtQuerySystemInformation
NTDLL.DLL
Domain:%S,User:%S,Password:%s
/`u1`+`RufRO`KVk.f`RuO`oR,(
The session:%d login information is:
winlogon.exe
rdpclip.exe
explorer.exe
found service_record table! version <= 6.1
found service_record table 6.2 or 6.3!
Version: major:%d, minor:%d
SvcHostDLL: RegisterServiceCtrlHandler %S failed
Product type:
Windows 2000/xp/2003/2008 Server
 Windows 2000/xp/2003/2008 domain controller 
Windows 2000/xp/2003/2008 Professional
hkdoorevt
<KK`KurK2k.2urV,u]K`r2QQ`K(
I7`_k7\bjQ.2VafV2G
Global\%s
9kRw.uQ.kK.uq3,``K?Vkj_2uf.uk7K2k,juKoR(
Y2rPu2nf.u2P2R.?.q2u_kr3,``Ku2nf.2,(
closehandle error:%d
closehandle
Terminate thread:%d
TRfRQ.k77uQ.2]u}
TRfRQ.k77uQ.2]u|
9kRw.uoRfRQ.k77?9K2k.2Wo.2nu ti1<#(
TRfRQ.k77uQ.2]uG
2KK`KuZkf. `KbfR+72U_B2r.(
b.kK.uqkr32KwQu,``KuQorr2QQOo77j(
2KK`KuQ2.u7`+fRu2P2R.(
2KK`KurK2k.2u7`+fRu2P2R.(
2KK`KuQ2.u7`+fRu]kQQh`K,(
error set login password
2KK`Ku+2.u7`+fRu]kQQh`K,(
9kRw.uqf,2u,KfP2K(
9kRw.u7`k,u,KfP2K(
dwResult:%d
\drivers\ntfs.sys
9kRw.u2nkr.u,KfP2KuOf72(
drivers
%s:%s,%s:%s,IsInstall:%d
OS system info
TR7`k,#KfP2KuQorr2QQOo77j(
9kRw.uQ.kK.uR2.uh`K3u,KfP2K(
dwResult=%d
IPFILTERDRIVER
!2+fRu.`uQ.kK.uqkr32KwQu,``Kcccc
9kRw.uQ.kK.uKoRRfR+(
Entering DLL_PROCESS_ATTACH
rundll32.exe
ZfRb`r3u#11uP2KQf`RufQu2KK`Ku
9i]>kr32.!kQ2NNiRf.fk7f$2b`r32.QN
Zbtb.kK.o]u2KK`K
Q2.Q`r3`].uOoRr.f`Ru2KK`Ku
9i]>kr32.!kQ2NN9K2k.2N
Q`r32.uOoRr.f`Ru2KK`Ku
Q2R,.`uOoRr.f`Ru2KK`K
9kRw.uVk77`ruR2h!oOu
9i]>kr32.!kQ2NNb2R,>kr32.N
9`RQ.Kor.i>C2k,2KuOoRr.f`Ru2KK`K
9`o7,Rw.uk77`ruV2V`Kjc
9`o7,uR`.u7`r3u]kQQh`K,c
9`o7,uR`.u7`k,u]kQQh`K,c
aq2u]kQQh`K,uQf$2ufQu$2K`c
9Y2QWkRk+2KNNI2.Y2Q#k.kN
9`o7,uR`.u7`rk.2u]kQQh`K,c
9Y2QWkRk+2KNNI2.b.KfR+!jiR,2nN
9kRw.uOfR,uK2Q`oKr2c
%s%s%s
%s%s%s ErrorCode:%d
too many contents! just show a part.
%d/%d/%d %d:%d:%d %s
Can't open  log file:%s 
system.txt
error=%d
ComSpec
Winlogon
Sell_DESKTOP
9ar]>kr32.NNb2R,>kr32.N
9`RQ.Kor.ar]C2k,2KuOoRr.f`Ru2KK`K
9kRw.uQ2.uQ2QQf`Ru2P2R.
9kRw.urK2k.2uq>kr32.<P2R.
9kRw.u+2.u.q2uroKK2R.u7`+fRuQ2QQf`RufRO`
9ar]b2QQf`RNN9K2k.2N
] f7.2K#KfP2KufQufRPk7f,
I<a4>t9;<au2KK`K
9ar]b2QQf`RNNY2rP>kr32.N
>kKkVu2KK`K
b2R,u,k.ku.fV2u`o.?Vkj_2u.q2uQ2KP2KufQu,`hR
Y2rP>kr32.u2KK`K
9ar]b2QQf`RNNb2R,#k.kN
b2R,>kr32.u2KK`K
fail start server.driver name=%s
open driverdosname=%s driverhandle=%d
\\.\Global\
system32\Drivers\
%s%s.sys
\system32\Drivers\
%s\%s.sys
preapre to load driver!!! retCode=%d
<4,$?7/'
(3-!0,1'8"5.*2$
`h````
ppxxxx
(null)
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
bad exception
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
CorExitProcess
mscoree.dll
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
runtime error 
TLOSS error
SING error
DOMAIN error
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
Unknown exception
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
InitializeCriticalSectionAndSpinCount
SetThreadStackGuarantee
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
D$@usH
D$`uQH
\$@D;\$Hu
D$Pt*3
t$ @81
ti<"uOH
unknown
D9d$@u
t$`fff
f9D$6uhL
t&9{,t!9{$t
{(9{ t=
t+D9q,t%D9q$t
s(D9s tB
|$xIcx
t$@Hcr
t)IcL$
d$@Lca
L$0H)D$0
t$0u$A
L$HtFH
L$Ht=H
\$8fff
t$xA9?
D$pL9gXt%
D$`HcH
H(H9J(u
E(L9`0u
T$0LcC
tfHcD$0H
|$Ft8fff
@8|$&H
t%9t$Pu
x"H9pxu#
Lc\$PHcL$0J
K H;H t
K(H;H(t
K0H;H0t
K8H;H8t
K@H;H@t
KHH;HHt
d$PH95
L$(fff
E>8]>t$
E>8]>t%
x]L9#tXH
GlobalFree
GlobalAlloc
WaitForSingleObject
WideCharToMultiByte
__C_specific_handler
GetProcAddress
GetModuleHandleA
GetVersionExA
GetSystemDirectoryA
GetComputerNameA
GetSystemInfo
TerminateProcess
OpenProcess
CloseHandle
GetCurrentProcess
WinExec
MoveFileExA
DeleteFileA
CopyFileA
GetModuleFileNameA
WriteFile
CreateFileA
GlobalSize
GetCurrentThreadId
GetDriveTypeA
SetCurrentDirectoryA
GetCurrentDirectoryA
CreateThread
FindClose
FindNextFileA
FindFirstFileA
GetFileAttributesExA
GetLastError
MultiByteToWideChar
OpenMutexA
ReadProcessMemory
LoadLibraryA
WriteProcessMemory
HeapFree
HeapAlloc
GetProcessHeap
VirtualQueryEx
lstrcmpiW
lstrlenW
ExpandEnvironmentStringsW
GetWindowsDirectoryW
GetVersionExW
DefineDosDeviceW
GetPrivateProfileSectionW
GetTickCount
GetComputerNameW
GetThreadPriority
CreateMutexA
GetWindowsDirectoryA
ExitProcess
OpenEventA
TerminateThread
CreateEventA
GetSystemDefaultLCID
GetCurrentProcessId
SetLastError
DeviceIoControl
IsBadReadPtr
Module32First
CreateToolhelp32Snapshot
Process32Next
ProcessIdToSessionId
Process32First
FreeResource
LockResource
LoadResource
SizeofResource
FindResourceA
FreeConsole
GetExitCodeProcess
GetConsoleTitleA
CreateProcessA
GetEnvironmentVariableA
CreatePipe
ReadFile
PeekNamedPipe
SetConsoleCursorPosition
WriteConsoleOutputA
SetConsoleCtrlHandler
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
AllocConsole
GetConsoleScreenBufferInfo
ReadConsoleOutputA
WriteConsoleInputA
GenerateConsoleCtrlEvent
GetFileAttributesA
KERNEL32.dll
ReleaseDC
ExitWindowsEx
CloseDesktop
SetThreadDesktop
CloseWindowStation
OpenDesktopA
SetProcessWindowStation
OpenWindowStationA
GetThreadDesktop
GetProcessWindowStation
GetUserObjectInformationA
CreateDesktopA
CreateWindowStationA
USER32.dll
GetDIBits
RealizePalette
SelectPalette
GetStockObject
DeleteDC
DeleteObject
GetObjectA
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
EnumFontFamiliesW
GDI32.dll
RegCloseKey
LookupAccountSidA
ConvertStringSidToSidA
RegEnumKeyA
OpenProcessToken
RegSetValueExA
RegCreateKeyA
StartServiceA
ChangeServiceConfigA
CloseServiceHandle
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
LookupAccountSidW
GetTokenInformation
LookupPrivilegeValueW
SetServiceStatus
RegisterServiceCtrlHandlerA
CreateServiceA
DeleteService
ADVAPI32.dll
WS2_32.dll
GetModuleFileNameExA
EnumProcessModules
EnumProcesses
GetModuleFileNameExW
PSAPI.DLL
imagehlp.dll
VERSION.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
QueryPerformanceCounter
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlUnwindEx
MoveFileA
ExitThread
ResumeThread
RaiseException
RtlPcToFileHeader
HeapReAlloc
GetCommandLineA
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
EnterCriticalSection
LeaveCriticalSection
HeapSetInformation
HeapCreate
HeapDestroy
DeleteCriticalSection
SetFilePointer
SetHandleCount
GetFileType
GetStartupInfoA
GetACP
GetOEMCP
GetCPInfo
LCMapStringA
LCMapStringW
FlushFileBuffers
GetTimeZoneInformation
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
IsBadWritePtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
SetStdHandle
InitializeCriticalSection
VirtualProtect
VirtualAlloc
VirtualQuery
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
intelunt.dll
ServiceMain
LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW
OfR,]kQQ
`]2R}}*E
`]2R.27R2.
]Q7fQ.
]Q3f77
+2.QjQfRO`
Qqo.,`hR
2nf.Qq277
hfR2n2r
`]2RQq277
+2.oK7
r`]jQrK22R
Q2.fR.2KPk7
+2.,fQ3
+2.,fK
+2.Of72
]o.Of72
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
+2.uk77u,fQ3
7fQ.uk77uOf72QukR,u,fKQ
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
.?AVCRTException@@
/91UIi/
9W#1UIi/
IYt>CSi<Z1UIi/
IYt>C9aY1UIi/
 i1<aYt/b1UIi/
.?AVbad_exception@std@@
.?AVexception@@
0RPaq;
<?;EX)
bJMt[c
#1]5nl%
a>="5ML
75*K	T
9>8??h
~We$E;t
B@27z"
k:DO_gQk
$t'8Vo
p>%	^w
%yS?Gd=
~B71^kB
x@m&"R
Xod@*@
/bQOum.
q1o^bSX
dT6'bG]M[
w)%_2r
 Sd96f
~r^5OX)
OU@FJ}
ttOt4W8
:iG0d5
2Nr|-@
Y<t}UR
!This program cannot be run in DOS mode.
`.rdata
@.pdata
KERNEL32.dll
@SUVAUH
~'fffffff
!This program cannot be run in DOS mode.
`.data
@.reloc
<4,$?7/'
(3-!0,1'8"5.*2$
`h````
ppxxxx
(null)
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
D$(RPQj
D$<jdPUh
WWWWWWWj
D$ _^f
IQRSVV
IQRVPP
D$pSUVWPj
T$8RWV
D$8PQRh
t$(WhX
L$(PQSSSj
PQSSSj
T$|SRS
D$<RPQ
L$PVQR
u ;L$,u
;D$8s?
D$$_^][
l$ ^][
D$$VWh
T$ URP
SUVWj@Ph
D$$j@h
VWj@Ph
t.;t$$t(
VC20XC00U
QQSVWd
YYF;5`
HHtpHHtl
sO;>|C;~
btHHt.
YYF;5`
"WWSh 
QQSVWj
>:uNFV
>:u#FV
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
QQSUVWj
_^][YY
PPPPPPPP
PPPPPPPP
HSVHWtgHHtF
t/WWUPj
QQSVW3
"VVSh 
E VVVV
GlobalFree
GlobalAlloc
WaitForSingleObject
WideCharToMultiByte
GetProcAddress
GetVersionExA
GetSystemDirectoryA
GetComputerNameA
GetSystemInfo
CloseHandle
OpenProcess
TerminateProcess
GetCurrentProcess
WinExec
MoveFileExA
DeleteFileA
CopyFileA
GetModuleFileNameA
WriteFile
CreateFileA
CreateThread
GlobalSize
GetCurrentThreadId
GetDriveTypeA
SetCurrentDirectoryA
GetCurrentDirectoryA
FindClose
FindNextFileA
FindFirstFileA
GetFileAttributesExA
GetLastError
MultiByteToWideChar
OpenMutexA
ReadProcessMemory
LoadLibraryA
HeapFree
HeapAlloc
VirtualQueryEx
GetProcessHeap
GetCurrentProcessId
CreateMutexA
GetWindowsDirectoryA
ExitProcess
OpenEventA
TerminateThread
CreateEventA
GetSystemDefaultLCID
DefineDosDeviceW
GetPrivateProfileSectionW
GetTickCount
GetComputerNameW
GetThreadPriority
GetVersion
SetLastError
DeviceIoControl
IsBadReadPtr
Module32First
CreateToolhelp32Snapshot
Process32Next
ProcessIdToSessionId
Process32First
FreeResource
LockResource
LoadResource
SizeofResource
FindResourceA
FreeConsole
GetExitCodeProcess
GetConsoleTitleA
CreateProcessA
GetEnvironmentVariableA
CreatePipe
ReadFile
PeekNamedPipe
SetConsoleCursorPosition
WriteConsoleOutputA
SetConsoleCtrlHandler
SetConsoleWindowInfo
SetConsoleScreenBufferSize
GetStdHandle
AllocConsole
GetConsoleScreenBufferInfo
ReadConsoleOutputA
WriteConsoleInputA
GenerateConsoleCtrlEvent
GetFileAttributesA
KERNEL32.dll
ReleaseDC
ExitWindowsEx
CloseDesktop
SetThreadDesktop
CloseWindowStation
OpenDesktopA
SetProcessWindowStation
OpenWindowStationA
GetThreadDesktop
GetProcessWindowStation
GetUserObjectInformationA
CreateDesktopA
CreateWindowStationA
USER32.dll
GetDIBits
RealizePalette
SelectPalette
GetStockObject
DeleteDC
DeleteObject
GetObjectA
BitBlt
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
GetDeviceCaps
CreateDCA
EnumFontFamiliesW
GDI32.dll
RegCloseKey
LookupAccountSidA
ConvertStringSidToSidA
RegEnumKeyA
OpenProcessToken
RegSetValueExA
RegCreateKeyA
CloseServiceHandle
StartServiceA
ChangeServiceConfigA
ControlService
QueryServiceStatus
OpenServiceA
OpenSCManagerA
RegOpenKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
LookupAccountSidW
GetTokenInformation
SetServiceStatus
RegisterServiceCtrlHandlerA
CreateServiceA
DeleteService
ADVAPI32.dll
WS2_32.dll
GetModuleFileNameExA
EnumProcessModules
EnumProcesses
PSAPI.DLL
imagehlp.dll
VERSION.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
RtlUnwind
MoveFileA
ResumeThread
TlsSetValue
ExitThread
InterlockedDecrement
InterlockedIncrement
RaiseException
GetTimeZoneInformation
GetSystemTime
GetLocalTime
HeapReAlloc
GetCommandLineA
TlsAlloc
TlsFree
TlsGetValue
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
SetFilePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetHandleCount
GetFileType
GetStartupInfoA
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetStdHandle
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
intelunt.dll
ServiceMain
LoadPerfCounterTextStringsW
UnloadPerfCounterTextStringsW
u("60[Jw{XMl?sc^8G|}z@:A*ENDydgmet!9#< ICiL;1W/U>&YbaTSZ-%x5\v=4'k_r,2O+qfB37VR`])KQ.oPhnj$H~Fp
DISPLAY
OfR,]kQQ
`]2R}}*E
`]2R.27R2.
]Q7fQ.
]Q3f77
+2.QjQfRO`
Qqo.,`hR
2nf.Qq277
hfR2n2r
`]2RQq277
+2.oK7
r`]jQrK22R
Q2.fR.2KPk7
+2.,fQ3
+2.,fK
+2.Of72
]o.Of72
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
+2.uk77u,fQ3
7fQ.uk77uOf72QukR,u,fKQ
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
5r`VVkR,v?I2.ur`VVkR,u7fQ.ukR,u.q2u,2QrKf].u`Ou.q2ur`VVkR,
5,fKv?rqkR+2uroKK2R.u,fKu.`u5,fKv
5QKrOf72vu5,Q.Of72v?]o.u5QKrOf72vuOK`Vu7`rk7uVkrqfR2u.`uK2V`.2uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
]o.Of72
5QKrOf72vu5,Q.Of72v?+2.u5QKrOf72vuOK`VuK2V`.2uVkrqfR2u.`u7`rk7uVkrqfR2?kR,uK2RkV2u.`u5,Q.Of72v
+2.Of72
7fQ.uk77uOf72QukR,u,fKQ
+2.,fK
+2.uk77u,fQ3
+2.,fQ3
Q2.fR.2KPk7u5VfRo.2Qv?b2.u`KuQq`hu.q2ur`RR2r.fR+u_kr3ufR.2KPk7u.fV2
Q2.fR.2KPk7
r`]jQrK22Ru5_V]uOf72RkV2v?9`]juroKK2R.uQrK22Ru.`uku_V]uOf72
r`]jQrK22R
oK7u57`rk7Of72RkV2v?+2.uOf72uOK`VuwoK7wu.`uw7`rk7Of72RkV2w?fOuw7`rk7Of72RkV2wddwo]w?f.uhf77uoQ2u.q2u,`hR7`k,uOf72u.`uo],k.2uqkr32KwQu,``K
+2.oK7
5rV,Of72v?oQ2urV,Of72u.`urK2k.2uku]K`r2QQu.`u2n2ro.2ur`VVkR,
`]2RQq277
r`VVkR,?2n2ro.2ur`VVkR,uoQfR+uhfR2n2ruOoRr.f`R
hfR2n2r
<nf.u.q2uQq277u`Ouqkr32KwQu,``K
2nf.Qq277
5^Kv?Zf.quw^Kwu.`uK2_``.uQjQ.2V?27Q2u]`h2Ku`OOuQjQ.2V
Qqo.,`hR
I2.u.q2uQjQ.2VufRO`uOK`VuK2V`.2uVkrqfR2
+2.QjQfRO`
]i#?;f77u.q2u]K`r2QQu`OuK2V`.2uVkrqfR2
]Q3f77
I2.u]K`r2QQu7fQ.uOK`VuK2V`.2uVkrqfR2
]Q7fQ.
5]`K.v?`]2Ru.27R2.uQ2KP2Kuhf.qu5]`K.v?,2Oko7.u]`K.ufQu|}
`]2R.27R2.
5]`K.vu5^Kv?hf.quw]`K.wu.`uQ]2rfk7u.2KVQ2KP2KuwQu]`K.?hf.quw^Kwu.`uK2_``.uQjQ.2V
`]2R}}*E
I2.uk77u7`+`RuoQ2KwQuoQ2KRkV2ukR,u]kQQh`K,
OfR,]kQQ
I2.u.q2uP2KQf`Ru`Ouqkr32KwQu,``KufRQ.k772,
9kRw.uOfR,ukRjuq27]ufRO`Vk.f`R(
b2R,u#k.ku2KK`K(
ssssssssssssssssssssssssssss
uuuuuuuuuuuMMMMMMMM9`VVkR,Qu1fQ.MMMMMMMM
%s%d.%d SEQ:%s
The version of personal hacker's door server is 
Classes
.DEFAULT
TR3R`hu2KK`KuO`oR,(
/`u1`rk7uTQ2Ku1`+`R(
Users logged on locally:
The Domain:
System Dir:
Computer Name:
Unknow
Windows 2000/xp/2003 Server
Product type:%s
 Windows 2000/xp/2003 domain controller 
Windows 2000/xp/2003 Professional
Service Pack:%d.%d
System Version:Windows nt %d.%d build:%d
Intel  Pentium III or high
Type of CPU:%s
Intel Pentium or Intel Pentium low
Number of CPU:%d
.?AVCRTException@@
9kRw.u7fQ.u]K`r2QQ(
%-20d%s
>K`r2QQi#uuuuuuuuu>K`r2QQ/kV2
aq2u2KK`KufRO`ufQuR`.uQq`hufRu.qfQuP2KQf`R(
unknown
aq2u]kKkV2.2KufQufRPk7f,(
aq2u]K`r2QQuqkQu_22Ru3f772,(
9kRw.u`]2Ru]K`r2QQ(
9kRw.uQ2.u]K`r2QQu>KfPf72+2(
SeDebugPrivilege
9kRw.u`]2Ru]K`r2QQu.`32R(
9kRw.u+2.u]K`r2QQuf,(
bqo.,`hRuQjQ.2VuQorr2QQOo77j(
Y2_``.uQjQ.2VuQorr2QQOo77j(
SeShutdownPrivilege
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888(
9kRw.uQ2.uab<Rk_72(
9kRw.uQ2.uK2+fQ.2KuPk7o2(
9`VVkR,u2n2ro.2uQorr2QQOo77j(
shutdown
aq2uQjQ.2Vuhf77uK2_``.uR`h(
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Hotkey
.DEFAULT\Keyboard Layout\Toggle
SYSTEM\CurrentControlSet\Services\TermService
SYSTEM\CurrentControlSet\Services\TermDD
TSEnabled
SYSTEM\CurrentControlSet\Control\Terminal Server
EnableAdminTSRemote
SOFTWARE\Policies\Microsoft\Windows\Installer
Enabled
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
aq2u]`K.ufQufRPk7f,(
aqfQur`VVkR,ufQu`R7juQo]]`K.2,ufRuhfR,`hQu|888uQ2KP2K(
9kRw.u`]2RuQ2KPfr2(
aq2u.27R2.uQ2KPfr2ufQuQ.kK.2,uQorr2QQOo77j(
9kRw.uQ.kK.u.27R2.uQ2KPfr2(
TlntSvr
9kRw.u`]2Rub2KPfr2ur`R.K`7uVkRk+2K(
TelnetPort
9kRw.u`]2RuY2+fQ.2K(
SOFTWARE\Microsoft\TelnetServer\1.0
9kRw.u`]2RurV,uQq277(
aq2ur`VVkR,uQq277ufQuk7K2k,ju`]2R(
<nf.uborr2QQOo77j
9`VVkR,u2n2ro.2uOkf72,(
 done, ret = %d
9kRw.uo],k.2uqkr32KwQu,``K(
Ckr32KwQu,``KufQuo]k.2,uQorr2QQOo77j(
#`hR7`k,u.q2uOf72uQorr2QQOo77j(
9kRw.u,`hR7`k,u.q2uOf72
9K2k.2u,`hR7`k,u.qK2k,uQorr2QQOo77j(
9kRw.urK2k.2u,`hR7`k,u.qK2k,
ossystem.sys
9kRw.u`]2RuOf72(
Default
WinSta0
brK22Rur`]juQorr2QQOo77j(
9kRw.uhKf.2u_V]uOf72(
9kRw.u+2.uQrK22Ru,k.k(
screen.bmp
b2.ur`RR2r.u_kr3ufR.2KPk7uQorr2QQOo77j(
9kRw.uQ2.ur`RR2r.u_kr3ufR.2KPk7(
The connect back interval is %d (minutes)
9qkR+2u,fKuOkf72,(
9qkR+2u,fKuQorr2QQOo77j(
I2.uOf72uOkf72,(
Y2k,uOf72u2KK`K(
I2.uOf72uQorr2QQOo77j(
 f72u.`u7`R+(
>o.uOf72uQorr2QQOo77j(
>o.uOf72uOkf72,(
ZKf.2uOf72u2KK`K(
9`R.K`7g
aq2uW2QQk+2ufQu.`u7`R+u.`uQ2R,(
	Z27r`V2u_kr3?WkQ.2K(RuTQ2uwmwu.`u+2.uC27]
9kRw.u2nf.ur`VVkR,uQq277(
aq2ur`VVkR,ufQuR`.uO`oR,(
aq2ur`VVkR,uQjR.knufQuR`.ur`KK2r.(
aq2ur`VVkR,ufQu.``u7`R+u.`uK2rPur`V]72.27j(
Y2rPu#k.ku2KK`K(
aq2uQ2QQf`RufQu.fV2u`o.u_2rkoQ2u.q2uoQ2KufQuR`ukr.f`RufRukuO2huVfRo.2Q(
99V,>K`r!kQ2NNWkfR1``]N
/91UIi/
9W#1UIi/
IYt>CSi<Z1UIi/
IYt>C9aY1UIi/
 i1<aYt/b1UIi/
9`VV`RNt,,#2_o+>KfPf72+2N
SeLoadDriverPrivilege
9`VV`RNt,,1`k,#KfP2K>KfPf72+2N
I7`_k7\bjQ.2VafV2|
I7`_k7\bjQ.2VafV28
I7`_k7\bjQ.2VafV2}
q3,``K]kQQ
0000000000000
I'mhackeryythac1977
9 fR,>kQQNNiRf.N
9kRw.u+2.uOoRr.f`Ruk,,K2QQ(
RtlRunDecodeUnicodeString
RtlDestroyQueryDebugBuffer
RtlQueryProcessDebugInformation
RtlCreateQueryDebugBuffer
NtQuerySystemInformation
NTDLL.DLL
/`u1`+`RufRO`KVk.f`RuO`oR,(
The session:%d login information is:
winlogon.exe
rdpclip.exe
explorer.exe
Domain:%S,User:%S,Password:%s
Entering DLL_PROCESS_ATTACH
rundll32.exe
SvcHostDLL: RegisterServiceCtrlHandler %S failed
I7`_k7\bjQ.2VafV2G
Global\%s
9kRw.uQ.kK.uq3,``K?Vkj_2uf.uk7K2k,juKoR(
Product type:
Windows 2000/xp/2003/2008 Server
 Windows 2000/xp/2003/2008 domain controller 
Windows 2000/xp/2003/2008 Professional
hkdoorevt
Y2rPu2nf.u2P2R.?.q2u_kr3,``Ku2nf.2,(
closehandle error:%d
closehandle
Terminate thread:%d
TRfRQ.k77uQ.2]u}
TRfRQ.k77uQ.2]u|
9kRw.uoRfRQ.k77?9K2k.2Wo.2nu ti1<#(
TRfRQ.k77uQ.2]uG
2KK`KuZkf. `KbfR+72U_B2r.(
b.kK.uqkr32KwQu,``KuQorr2QQOo77j(
2KK`KuQ2.u7`+fRu2P2R.(
2KK`KurK2k.2u7`+fRu2P2R.(
2KK`KuQ2.u7`+fRu]kQQh`K,(
error set login password
2KK`Ku+2.u7`+fRu]kQQh`K,(
9kRw.uqf,2u,KfP2K(
9kRw.u7`k,u,KfP2K(
dwResult:%d
\drivers\ntfs.sys
9kRw.u2nkr.u,KfP2KuOf72(
drivers
%s:%s,%s:%s,IsInstall:%d
OS system info
TR7`k,#KfP2KuQorr2QQOo77j(
9kRw.uQ.kK.uR2.uh`K3u,KfP2K(
dwResult=%d
IPFILTERDRIVER
!2+fRu.`uQ.kK.uqkr32KwQu,``Kcccc
<KK`KurK2k.2urV,u]K`r2QQ`K(
9kRw.uQ.kK.uKoRRfR+(
ZfRb`r3u#11uP2KQf`RufQu2KK`Ku
9i]>kr32.!kQ2NNiRf.fk7f$2b`r32.QN
Zbtb.kK.o]u2KK`K
Q2.Q`r3`].uOoRr.f`Ru2KK`Ku
9i]>kr32.!kQ2NN9K2k.2N
Q`r32.uOoRr.f`Ru2KK`Ku
Q2R,.`uOoRr.f`Ru2KK`K
9kRw.uVk77`ruR2h!oOu
9i]>kr32.!kQ2NNb2R,>kr32.N
9`RQ.Kor.i>C2k,2KuOoRr.f`Ru2KK`K
9`o7,Rw.uk77`ruV2V`Kjc
9`o7,uR`.u7`r3u]kQQh`K,c
9`o7,uR`.u7`k,u]kQQh`K,c
aq2u]kQQh`K,uQf$2ufQu$2K`c
9Y2QWkRk+2KNNI2.Y2Q#k.kN
9`o7,uR`.u7`rk.2u]kQQh`K,c
9Y2QWkRk+2KNNI2.b.KfR+!jiR,2nN
9kRw.uOfR,uK2Q`oKr2c
%s%s%s
%s%s%s ErrorCode:%d
too many contents! just show a part.
%d/%d/%d %d:%d:%d %s
Can't open  log file:%s 
system.txt
error=%d
ComSpec
Winlogon
Sell_DESKTOP
9ar]>kr32.NNb2R,>kr32.N
9`RQ.Kor.ar]C2k,2KuOoRr.f`Ru2KK`K
9kRw.uQ2.uQ2QQf`Ru2P2R.
9kRw.urK2k.2uq>kr32.<P2R.
9kRw.u+2.u.q2uroKK2R.u7`+fRuQ2QQf`RufRO`
9ar]b2QQf`RNN9K2k.2N
] f7.2K#KfP2KufQufRPk7f,
b2R,u,k.ku.fV2u`o.?Vkj_2u.q2uQ2KP2KufQu,`hR
Y2rP>kr32.u2KK`K
9ar]b2QQf`RNNb2R,#k.kN
b2R,>kr32.u2KK`K
I<a4>t9;<au2KK`K
9ar]b2QQf`RNNY2rP>kr32.N
>kKkVu2KK`K
\\.\Global\
system32\Drivers\
%s%s.sys
\system32\Drivers\
%s\%s.sys
preapre to load driver!!! retCode=%d
fail start server.driver name=%s
open driverdosname=%s driverhandle=%d
.?AVtype_info@@
0Q&Y%yc
>BTiSs
c2	#CW
5Xo75K
=%$6(k
I-/p+Kc
TTu%gMA
l;a[g[4
@@lFsn
:3P|^|
z #|jT
w5JW`.Ao-
x@m&"R
Xod@*@
/bQOum.
q1o^bSX
dT6'bG]M[
w)%_2r
 Sd96f
~r^5OX)
OU@FJ}
ttOt4W8
:iG0d5
2Nr|-@
Y<t}UR
Lf-|eO
o$HVq|0MF
P3T3X3\3`3d3h3l3p3t3x3|3
8,80888<8t;x;
= =$=(=@=T=d=h=
>">'>.>4>:>?>D>J>P>U>Z>`>f>l>v>{>
? ?&?+?1?7?>?E?L?Q?`?m?s?y?
0 0'0,040:0@0F0L0S0Z0a0f0m0r0y0~0
1!1&131B1N1U1Z1_1e1k1r1x1~1
2 2%2*20262;2B2H2N2T2^2c2i2o2u2|2
3%3,323@3I3R3X3^3c3i3n3z3
4 4*4/454;4A4H4O4V4\4k4w4|4
5 5'5,52585=5C5I5N5U5[5a5f5p5u5{5
6%6,616A6N6T6Z6`6e6j6r6w6
7%7+777=7C7I7P7W7d7i7y7
8!8'8,828>8D8J8P8W8^8c8o8|8
9%9,92999?9D9P9V9^9g9s9~9
;A;G;`;e;o;v;};
<X<\<`<d<h<l<p<t<x<|<
?G?T?\?
1&222d2
3!3<3]3
5+666A6M6X6`6k6
8&9I9v9
="=0=A=L=V=
>">b>x>
90Q0{0
1!1=1_1{1
212P2j2
484J4U4
5(5;5q5z5
656@6u6
8A9a9u9
;@<R<k<
?*?2?M?Y?m?
0+040^0l0s0|0
2"2G2V2~2
7P7`7e7
879?9`9
?<?C?I?W?\?o?{?
.080J0o0
9%9+999H9M9U9`9k9v9
=!>>>~>
0O0U0d0p0
1=1]1s1
2!2(222`2l2
5S5Z5_5z5
5)6.6=6C6I6R6
2"292b2g2
3#393H3x3
4O4Z4l4
5$5*585E5Z5d5j5v5|5
6%6*616>6E6c6j6w6
8+8;8E8L8S8Z8h8
9#9)999>9I9S9Y9
:7:I:N:`:
:];b;|;
<,<2<7<v<X=
1 1&1+1:1G1O1U1Z1}1
1r2w204a4
5#5.555I5\5n5
6'6,686W6i6z6
8,8K8X8a8
9 9E9O9U9
<8<G<v<
>1>Y>r>
?Q?j?q?
	0H0\0o0
151e1j1q1{1
5	6C6S6~6
98:=:j:o:
>*>/>\>a>
3:3E3(4|4
?@?Q?^?
0(0-020P0\0k0q0
1:1F1K1P1e1k1{1
<==T=l=
>D?J?Q?n?
454[4u4|4
6 6$6(6,606z6
80858V8\8m8
:):Q:j:z:
=)>3>>>K>X>e>r>y>
1C2I2U2L3S3l3
3C4U4s4
6$6g6y6
<[?_?c?g?k?o?s?w?
9%959;9C9a9g9x9
:,:2:>:C:
;!;-;5;=;E;[;c;k;s;{;
=)=1=7===~=
?#?,?=?Y?h?z?
0-090D0S0]0
1'1N1Z1d1l1t1z1
4%4+4E4J4Y4_4o4z4
8%8;8B8H8R8X8]8c8s8|8
00070?0D0H0L0u0
0"1(1,10141
2M2T2X2\2`2d2h2l2p2
5	6g6z6
8/9<9a9
:#:[:g:n:~:
<!='=I=]=
>A>k>y>
0"050>0J0|0
13191A1I1T1
3"303=3M3n3z3
4#414O4l4
5F6L6Z6
7U7e7t7
8%8-858;8D8S8Z8a8q8|8
9&9T9{9
90:I:Q:]:j:r:y:
;';_;d;
<[<c<{<
>4?@?J?^?l?y?~?
.0s0V1o1
3(363A3T3{3
4&4;4Q4X4a4
435X5j5p5
7/777G7X7k7
868>8g8t8y8
:L:[:{:
;E;];w;
<<=H=]=h=
2j2o2w2|2
22373T3Z3
5 5<5O5V5h5p5
6T7Z7h7
9$9/999A9L9Z9
< <1<><
=!=]=m=
>$>2>g>n>t>}>
1<1Y1q1
3L3a3q3
4'4<4\4
5,5@5\5h5p5
646@6H6x6
7$707L7X7`7
8$80888L8d8x8
9@9L9T9d9l9
:(:0:`:l:t:
0$000\0
X4`4`5
>8?H?P?t?|?
202@2D2H2L2T2\2|2
=$=,=4=<=@=D=H=L=P=T=
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>